Solved: Re: Asynchronous TCP flow through CSM from dual homed server

rob.bettinson · ‎07-26-2006

We have a situation where dual homed servers behind a CSM are accessed via both interfaces.

A diagram is attached in ASCII.

The default route on the Servers is 172.16.16.254, a VRRP address on the CSM.

- Client 10.1.1.1 can successfully connect to VIP services on the CSM which load balance to the Servers.

- Client 10.1.1.1 can successfully connect to 172.16.16.21 & 22 using ssh.

- However, the Client 10.1.1.1 cannot connect to the management IP 192.168.32.21 & 22 using ssh.

I believe this is due to the fact that the Servers route the return traffic to the default gateway of the CSM. the CSM has not seen the TCP SYN packet and so cannot reconsile it to an existing flow, therefore rejects it in the belief it is a DOS attack.

I base this on the document http://www.cisco.com/en/US/products/hw/modules/ps2706/products_white_paper09186a0080160311.shtml

section Connection Processing - "TCP state machine and denial of service detection"

& section Forwarding Processing - "Classify packets".

The questions I have are:

1) Has anyone else come accross a similar scenario?

2) Can anyone confirm or correct my understanding of why the connectivity is failing?

2) Is there a way of chainging the CSM behaviour to enable this connectivty?

Thanks,

Rob

Gilles Dufour · ‎07-28-2006

Rob,

try to set the following var in CSM config

ROUTE_UNKNOWN_FLOW_PKTS 2

Info at http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00803e008d.html

Let me know if this works.

Gilles.

View solution in original post

rob.bettinson · ‎07-26-2006

Here is the attachement!!!

diro · ‎07-26-2006

1)no

2)yes

3)use the msfc as dg on servers, now the problem is that the loadballancing does not work anymore (csm does not see the return traffic), this can be then solved by source nat

rob.bettinson · ‎07-27-2006

Thanks, I thought that may be the case.

The one-arm-bandit approach is not feasible in this situation as we need to reall IP of the clients so NAT is not feasible.

I recall the CSS has similar DOS detection facilities that were not configurable when I came across them a few years ago, I suspect I may be in a simialr boat, but am hoping someone has an idea...

The only option I have so far is to NAT the source of the management traffic through the MSFC but security aren't happy with this for audit purposes.

Thanks,

Rob

ivominkov · ‎07-27-2006

Hi Rob,

Is there a chance to manage them from subnet that doesn?t need access to the load balanced application and add a static route to that subnet on the servers.

Ivo

rob.bettinson · ‎07-27-2006

Hi Ivo,

That is one avenue I am pursuing :)

Typically a minority of people require this level of connecivity and I am looking for ways to address this through process...

Rob

diro · ‎07-27-2006

you could also create a vip per server with each one real (the server)

Gilles Dufour · ‎07-28-2006

Rob,

try to set the following var in CSM config

ROUTE_UNKNOWN_FLOW_PKTS 2

Info at http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00803e008d.html

Let me know if this works.

Gilles.

rob.bettinson · ‎07-28-2006

Fantastic, this connectivity is now working!

That is just the kind of detailed config I needed. I hadn't found this document in my searches.

I have noted that these variables are included in the config-sync which is good.

Thanks Giles!