Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
3
Replies

CSM RST issues after SYN packet

roberta979
Level 1
Level 1

‎02-07-2008 03:02 AM

Environment:

A couple of CSMs in a campus manage costumer's WAP browsing service. A VIP virtualizes WAP1 and WAP2 service on different tcp, udp port and CSM balances it to WAP gateway proxies.

WAP gateway's proxies initiate new connection to internet passing through CSM.

HTTP sessions are intercepted and balanced to transparent proxies to provide enrichment.

NAT is implemented for all traffic that goes out to CSM.

Other flows are managed by this CSM but they aren't involved in the reset issues.

Behavior:

Costumer sets up connection with his WAP gateway. WAP gateway initiates connection to internet properly and flow is properly balanced to transparent proxies.

Transparent proxy also initiates new connection to internet.

Sometime CSM sends RST to transparent proxies and they send to all other elements a 502 bad gateway error.

RST packet is sent in two different cases.

1. RST after a few SYN packets, 30 second between first and last SYN.

2. RST immediately after the first SYN packet from transparent proxies.

My ideas:

I putted a test WEB server on the Client VLAN of CSM to leave out other network elements or internet problems

The second issue probably is a sell-out of some resources. Looking “LB Rjct: no cl NAT port” counter on CSM's tech-support it increases. Probably one IP of NAT isn't enough anymore.

No ideas for the first issue.

Do you have any idea?

Thanks in advance.

Roberta

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-07-2008 04:45 AM

when you say, RST after a few SYN, does it mean the 3-way handshake never completes ?

So, the server never responds with a SYN/ACK ??

30 sec is the pending timeout on the CSM.

That's the time we allow the tcp 3-way handshake to complete.

You can increase this timeout with the command 'pending ' under the vserver.

You can verify if this is a pending timeout issue w/ the command :

sho mod csm 3 tech proc 1 | i Pending

Gilles.

0 Helpful

roberta979
Level 1
Level 1
In response to Gilles Dufour

‎02-07-2008 08:16 AM

Hi Gilles,

yes, it does. SYN/ACK never arrives by server.

I'll do it asap.

What about second issue? Do you think my idea is correct?

Thanks

Roberta

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to roberta979

‎02-08-2008 12:51 AM

your idea for the 2nd problem looks good to me.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents