Resetting ports/connections on a CSS 11501

rschroeppel · ‎06-05-2003

High,

our CSS is load-balancing LDAP servers. The LDAP request come from a system protected by a firewall. Unfortunately, the system doing the request opens a connections and keeps it permanently open. The firewall disconnects the client system after a timeout period. The client realizes the disconnection, but the CSS is still listening for LDAP requests from that client. I know i can set the flow-timeout multiplier but I'm not sure, if this is enough. The global flow-state table command, where I can set the specific TCP port (LDAP) is not available for the CSS 11501, at least my CSS does not know the command.

My question: Is it enough to apply the flow-timeout multiplier command to the corresponding content rule or do I have to set the tcp port as well? If so, where and how? A sho flow-timeout configured returns:

User Configured Values for Content Rule Flow Timeout

Port Content Rule Timeout

0 LDAP-QUERY 4

As seen, no port is listed.

Any help is appreciated

Reiner

Gilles Dufour · ‎06-09-2003

the flow-timeout-multplier does not require any additionnal configuration.

A value of 0 will disable the timeout.

Only traffic to the content rule is affected.

There is also a command 'flow permanent' that let you configure 10 permanent ports (no timeout) for the box. This affects all traffic.

If you want to see the effect of the flow-timeout-multiplier, you can go in debug mode with the command llama.

From there, do a 'flow-agent show active' when there is traffic going through the CSS.

Identify a flow id for a connection that hit the content rule with the flow-timeout command.

With this flowid, do a 'flow-agent show fcb 0x'

You will see the timeout value for this flow.

Don't forget this is a multiplier. So, if you configured a value of 20, the timeout will be 16 x 20 = 320

Gilles.

rschroeppel · ‎06-10-2003

Thanks for your reply.

For me it was important to know, that the flow-timeout doesn't need any additional parameters.

If I understand you right, as soon as I assign the flow-timeout to a content rule, the value is valid for ALL connections being established through this content rule.

So on a 11501 you cannot explicitly specify which port (80, 389, 23, etc.) the timeout value is valid for (on a 11500 you can specify an explicit port)?

Reiner

Gilles Dufour · ‎06-11-2003

You can specify a port if you want with the command 'flow permanent'.

This tells the CSS not to timeout those connections.

GILLES(config)# flow permanent ?

port1 First tcp port to not be reclaimed by flowmgr

port10 Tenth tcp port to not be reclaimed by flowmgr

port2 Second tcp port to not be reclaimed by flowmgr

port3 Third tcp port to not be reclaimed by flowmgr

port4 Fourth tcp port to not be reclaimed by flowmgr

port5 Fifth tcp port to not be reclaimed by flowmgr

port6 Sixth tcp port to not be reclaimed by flowmgr

port7 Seventh tcp port to not be reclaimed by flowmgr

port8 Eighth tcp port to not be reclaimed by flowmgr

port9 Ninth tcp port to not be reclaimed by flowmgr

GILLES(config)# flow permanent port1 80

But the 11500 has the advantage that you can set the timeout for each content rule with the 'flow-timeout-multiplier' which is independent from the 'flow permanent' command.

GILLES(config)# owner gilles

GILLES(config-owner[gilles])# content WWW

GILLES(config-owner-content[gilles-WWW])# flow-timeout-multiplier ?

Integer value(Range: 0-65533)

GILLES(config-owner-content[gilles-WWW])# flow-timeout-multiplier 20