Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS ACK client's SYN when L4 LB?

IF I configure CSS do L4 LB (say, tcp-22 for SSH) and NAT as well, does CSS ACK client's SYN? or just forward client SYN to server? and does CSS changes sequence numbers? thanks a lot.

5 REPLIES
Cisco Employee

Re: CSS ACK client's SYN when L4 LB?

If the CSS is doing layer 4, it should not be spoofing, so pretty much will look at the SYN and based on the packet data decide which server should handle the request and pass the SYN to the server.

It will then wait for the server's SYN/ACK and pass it to the client.

The sequence number will remain the same when doing layer 4 LB.

New Member

Re: CSS ACK client's SYN when L4 LB?

Thanks. That's what I thought, somehow, all of our servers (web, smtp) which are not load-balanced are having outstanding SYN_RECV connections (netstat -na | grep SYN_RECV), but those load-balanced servers (web, imap) does not show those SYN_RECV connections, it makes me wonder CSS is doing something, and all of servers, include CSS are behind FWSM, and we have configured embryonic limit to 1 to turn on TCP Intercept but so far have not seen any hits on TCP Intercept, any thoughts?

Cisco Employee

Re: CSS ACK client's SYN when L4 LB?

If the server not-loadbalanced do not show too many SYN-RECV connections, I would say this is a good thing.

Why do you suspect the CSS ?

I would say capture a sniffer trace on the servers showing the SYN_RECV and try to match a SYN-RECV status to what you see in the trace.

You will then understand what is going on.

One more thing, if this was the opposite - loadbalancer server show lot of SYN_RECV, that could be CSS probes.

But you would see the src ip address being the CSS ?

Gilles.

New Member

Re: CSS ACK client's SYN when L4 LB?

Of course not suspect CSS, just wonder if CSS would something more to protect the backend servers, and your guys just confirm that L4 would not do delay bind.

So if the NetPros did not see similar scenario here, I would say our non load balanced server is the target.

Cisco Employee

Re: CSS ACK client's SYN when L4 LB?

ok, the CSS does something to protect the servers.

There is the dos feature.

If the tcp handshake does not complete in 16sec, the connection is reset.

You can do a 'show dos' to see if the CSS had to clean up connections.

Gilles.

318
Views
0
Helpful
5
Replies