Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asynchronous TCP flow through CSM from dual homed server

We have a situation where dual homed servers behind a CSM are accessed via both interfaces.

A diagram is attached in ASCII.

The default route on the Servers is 172.16.16.254, a VRRP address on the CSM.

- Client 10.1.1.1 can successfully connect to VIP services on the CSM which load balance to the Servers.

- Client 10.1.1.1 can successfully connect to 172.16.16.21 & 22 using ssh.

- However, the Client 10.1.1.1 cannot connect to the management IP 192.168.32.21 & 22 using ssh.

I believe this is due to the fact that the Servers route the return traffic to the default gateway of the CSM. the CSM has not seen the TCP SYN packet and so cannot reconsile it to an existing flow, therefore rejects it in the belief it is a DOS attack.

I base this on the document http://www.cisco.com/en/US/products/hw/modules/ps2706/products_white_paper09186a0080160311.shtml

section Connection Processing - "TCP state machine and denial of service detection"

& section Forwarding Processing - "Classify packets".

The questions I have are:

1) Has anyone else come accross a similar scenario?

2) Can anyone confirm or correct my understanding of why the connectivity is failing?

2) Is there a way of chainging the CSM behaviour to enable this connectivty?

Thanks,

Rob

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Asynchronous TCP flow through CSM from dual homed server

Rob,

try to set the following var in CSM config

ROUTE_UNKNOWN_FLOW_PKTS 2

Info at http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00803e008d.html

Let me know if this works.

Gilles.

8 REPLIES
New Member

Re: Asynchronous TCP flow through CSM from dual homed server

Here is the attachement!!!

Bronze

Re: Asynchronous TCP flow through CSM from dual homed server

1)no

2)yes

3)use the msfc as dg on servers, now the problem is that the loadballancing does not work anymore (csm does not see the return traffic), this can be then solved by source nat

New Member

Re: Asynchronous TCP flow through CSM from dual homed server

Thanks, I thought that may be the case.

The one-arm-bandit approach is not feasible in this situation as we need to reall IP of the clients so NAT is not feasible.

I recall the CSS has similar DOS detection facilities that were not configurable when I came across them a few years ago, I suspect I may be in a simialr boat, but am hoping someone has an idea...

The only option I have so far is to NAT the source of the management traffic through the MSFC but security aren't happy with this for audit purposes.

Thanks,

Rob

New Member

Re: Asynchronous TCP flow through CSM from dual homed server

Hi Rob,

Is there a chance to manage them from subnet that doesn?t need access to the load balanced application and add a static route to that subnet on the servers.

Ivo

New Member

Re: Asynchronous TCP flow through CSM from dual homed server

Hi Ivo,

That is one avenue I am pursuing :)

Typically a minority of people require this level of connecivity and I am looking for ways to address this through process...

Rob

Bronze

Re: Asynchronous TCP flow through CSM from dual homed server

you could also create a vip per server with each one real (the server)

Cisco Employee

Re: Asynchronous TCP flow through CSM from dual homed server

Rob,

try to set the following var in CSM config

ROUTE_UNKNOWN_FLOW_PKTS 2

Info at http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00803e008d.html

Let me know if this works.

Gilles.

New Member

Re: Asynchronous TCP flow through CSM from dual homed server

Fantastic, this connectivity is now working!

That is just the kind of detailed config I needed. I hadn't found this document in my searches.

I have noted that these variables are included in the config-sync which is good.

Thanks Giles!

175
Views
5
Helpful
8
Replies
CreatePlease login to create content