Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS and TCP Handshake question

If I loadbalance a pair of SMTP servers through any of the CSS devices, does the CSS pass on the handshake prior to the arrival of SMTP data?

I have a situation with a pair of SMTP servers which are having thousands of TCP sessions opened , from thousands of different IP addresses. No data is ever sent. Instead, the client sends a FIN, and then stops responding, leaving the SMTP servers with piles of sessions stuck in CLOSE_WAIT.

I'm wondering if putting a CSS in between would prevent the sessions from being opened on my SMTP server ; the CSS switches can close and clean up dead flows much more effectively than my mail server.

Would the handshake from the CSS to the server be initiated before SMTP data arrives? and if so.. would the handshake be *closed* properly, even if the CSS never receives the final ack from the client?

The two Cisco reps I've spoken to so far can't get their heads around the question - i've been told that IPS has all the SMTP protection I'll need, or to use SMTP Fixup (which is already in place). They don't seem to grasp that its a direct TCP abuse - and for IPS , how do you find a negative "this client will not ack properly after this handshake is finished so block him?" ??

THanks for your help.

3 REPLIES
Cisco Employee

Re: CSS and TCP Handshake question

in order for the css to terminate the tcp connection, you need to create an L5/L7 rule and this is only possible for a few protocols like ftp, http, ssl, sip.

But SMTP is not part of the list.

A firewall should most probably be able to do this.

Gilles.

New Member

Re: CSS and TCP Handshake question

Hm. There are PIX firewalls in place, and I know how to do fixup, but i'm unaware of how to make them terminate the TCP connection and *validate* it first. IPS doesn't seem to support this either. And CSS isn't the answer either..

*sigh*

I've seen a lot of verbiage about this problem on the net, i'm a bit surprised no one has a readily identifiable method to help.

Cisco Employee

Re: CSS and TCP Handshake question

ask your question on the security forum.

If this is common problem, you should get a response.

Gilles.

175
Views
0
Helpful
3
Replies
CreatePlease to create content