cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
0
Helpful
5
Replies

CSS ACK client's SYN when L4 LB?

a12288
Level 3
Level 3

IF I configure CSS do L4 LB (say, tcp-22 for SSH) and NAT as well, does CSS ACK client's SYN? or just forward client SYN to server? and does CSS changes sequence numbers? thanks a lot.

5 Replies 5

Diego Vargas
Cisco Employee
Cisco Employee

If the CSS is doing layer 4, it should not be spoofing, so pretty much will look at the SYN and based on the packet data decide which server should handle the request and pass the SYN to the server.

It will then wait for the server's SYN/ACK and pass it to the client.

The sequence number will remain the same when doing layer 4 LB.

Thanks. That's what I thought, somehow, all of our servers (web, smtp) which are not load-balanced are having outstanding SYN_RECV connections (netstat -na | grep SYN_RECV), but those load-balanced servers (web, imap) does not show those SYN_RECV connections, it makes me wonder CSS is doing something, and all of servers, include CSS are behind FWSM, and we have configured embryonic limit to 1 to turn on TCP Intercept but so far have not seen any hits on TCP Intercept, any thoughts?

If the server not-loadbalanced do not show too many SYN-RECV connections, I would say this is a good thing.

Why do you suspect the CSS ?

I would say capture a sniffer trace on the servers showing the SYN_RECV and try to match a SYN-RECV status to what you see in the trace.

You will then understand what is going on.

One more thing, if this was the opposite - loadbalancer server show lot of SYN_RECV, that could be CSS probes.

But you would see the src ip address being the CSS ?

Gilles.

Of course not suspect CSS, just wonder if CSS would something more to protect the backend servers, and your guys just confirm that L4 would not do delay bind.

So if the NetPros did not see similar scenario here, I would say our non load balanced server is the target.

ok, the CSS does something to protect the servers.

There is the dos feature.

If the tcp handshake does not complete in 16sec, the connection is reset.

You can do a 'show dos' to see if the CSS had to clean up connections.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: