Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

CSM RST issues after SYN packet

Environment:

A couple of CSMs in a campus manage costumer's WAP browsing service. A VIP virtualizes WAP1 and WAP2 service on different tcp, udp port and CSM balances it to WAP gateway proxies.

WAP gateway's proxies initiate new connection to internet passing through CSM.

HTTP sessions are intercepted and balanced to transparent proxies to provide enrichment.

NAT is implemented for all traffic that goes out to CSM.

Other flows are managed by this CSM but they aren't involved in the reset issues.

Behavior:

Costumer sets up connection with his WAP gateway. WAP gateway initiates connection to internet properly and flow is properly balanced to transparent proxies.

Transparent proxy also initiates new connection to internet.

Sometime CSM sends RST to transparent proxies and they send to all other elements a 502 bad gateway error.

RST packet is sent in two different cases.

1. RST after a few SYN packets, 30 second between first and last SYN.

2. RST immediately after the first SYN packet from transparent proxies.

My ideas:

I putted a test WEB server on the Client VLAN of CSM to leave out other network elements or internet problems

The second issue probably is a sell-out of some resources. Looking “LB Rjct: no cl NAT port” counter on CSM's tech-support it increases. Probably one IP of NAT isn't enough anymore.

No ideas for the first issue.

Do you have any idea?

Thanks in advance.

Roberta

3 REPLIES
Cisco Employee

Re: CSM RST issues after SYN packet

when you say, RST after a few SYN, does it mean the 3-way handshake never completes ?

So, the server never responds with a SYN/ACK ??

30 sec is the pending timeout on the CSM.

That's the time we allow the tcp 3-way handshake to complete.

You can increase this timeout with the command 'pending ' under the vserver.

You can verify if this is a pending timeout issue w/ the command :

sho mod csm 3 tech proc 1 | i Pending

Gilles.

New Member

Re: CSM RST issues after SYN packet

Hi Gilles,

yes, it does. SYN/ACK never arrives by server.

I'll do it asap.

What about second issue? Do you think my idea is correct?

Thanks

Roberta

Cisco Employee

Re: CSM RST issues after SYN packet

your idea for the 2nd problem looks good to me.

Gilles.

245
Views
0
Helpful
3
Replies
CreatePlease to create content