Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Does CSS send resets to client and server to clear flow timeouts?

I am trying to understand in more detail what occurs when a CSS times out a flow. Looking at sniffer traces on both sides of the CSS (running release 8.2) it appears the CSS does not of itself initiate any FIN or reset of both sides of the connection when a timeout occurs; I do see a TCP reset sent to the client side from the CSS if the client attempts to send more data via a flow that has timed out; however I never see any sort of clearing or reset on the backend to the server to clear the connection from the CSS to the server.

This is becoming an issue for us as we are troubleshooting a new app which appears to run for long periods of time without any traffic or keepalives. We can address this by upping the flow timeout, but if this timeout is bypassed and the FCBs recovered, we need to know if the CSS can also be configured to close the connections it is proxying, or if this will remain open even though the flow is inactive.

Please let me know if this is referenced in detail in the CSS doc; I have not found it anywhere yet.

Thanks for your help!

3 REPLIES

Re: Does CSS send resets to client and server to clear flow time

CSS sets two unidirectional flows (one for each direction) for a TCP connection.

These flows are stored in FCB.If a flow is idle for idle timeout and CSS didnt see a RST/FIN for that flow the CSS moves this flow information from FCB to "free flow list"

Free flow entries are only reclaimed if needed by CSS. When CSS reclaims this entry from "free flow list" and a new packet arrives for the same flow then it sends a RST to the source of the packet.

Also CSS does not sent a RST when a flow has been cleaned-up via garbage collection.

Syed Iftekhar Ahmed

New Member

Re: Does CSS send resets to client and server to clear flow time

So the CSS does not also send a RST on the server side at the same time? This would explain all the half-open connections we see from the CSS to the backend servers.

Anyone have any feedback on why this is not done? This seems like a design shortcoming to us since the client has no way to terminate the backend connection without assistance from the CSS proxying the backend connection. Perhaps it cannot also send the backend RST since the FCB has already been reclaimed.

Is there any way to configure the CSS so that both sides of the connection are terminated when the flow is timed out?

Re: Does CSS send resets to client and server to clear flow time

Server side flows will also timed out when flows are needed by CSS. In your situation I see 3 possible options

1. Increase flow timeout using "flow-timeout-multiplier number"

or

2. Use "flow permanent port1 "

It will prevent cleanup of the idle flows for specified port and will make these flows permanent. This can severly affect the scalibility as you may run out of available flows on the box. In order to reclaim these flows you can either manually (doing "no flow permanent port1" and then "flow permanent port1 " every night may be) remove these idle flows or can write a script to do that for you on CSS.

or

3. Add HeartBeat functionality in the application.

HTH

Syed Iftekhar Ahmed

273
Views
5
Helpful
3
Replies
CreatePlease to create content