06-05-2003 02:44 AM
High,
our CSS is load-balancing LDAP servers. The LDAP request come from a system protected by a firewall. Unfortunately, the system doing the request opens a connections and keeps it permanently open. The firewall disconnects the client system after a timeout period. The client realizes the disconnection, but the CSS is still listening for LDAP requests from that client. I know i can set the flow-timeout multiplier but I'm not sure, if this is enough. The global flow-state table command, where I can set the specific TCP port (LDAP) is not available for the CSS 11501, at least my CSS does not know the command.
My question: Is it enough to apply the flow-timeout multiplier command to the corresponding content rule or do I have to set the tcp port as well? If so, where and how? A sho flow-timeout configured returns:
User Configured Values for Content Rule Flow Timeout
Port Content Rule Timeout
0 LDAP-QUERY 4
As seen, no port is listed.
Any help is appreciated
Reiner
06-09-2003 12:28 AM
the flow-timeout-multplier does not require any additionnal configuration.
A value of 0 will disable the timeout.
Only traffic to the content rule is affected.
There is also a command 'flow permanent' that let you configure 10 permanent ports (no timeout) for the box. This affects all traffic.
If you want to see the effect of the flow-timeout-multiplier, you can go in debug mode with the command llama.
From there, do a 'flow-agent show active' when there is traffic going through the CSS.
Identify a flow id for a connection that hit the content rule with the flow-timeout command.
With this flowid, do a 'flow-agent show fcb 0x
You will see the timeout value for this flow.
Don't forget this is a multiplier. So, if you configured a value of 20, the timeout will be 16 x 20 = 320
Gilles.
06-10-2003 01:48 AM
Thanks for your reply.
For me it was important to know, that the flow-timeout doesn't need any additional parameters.
If I understand you right, as soon as I assign the flow-timeout to a content rule, the value is valid for ALL connections being established through this content rule.
So on a 11501 you cannot explicitly specify which port (80, 389, 23, etc.) the timeout value is valid for (on a 11500 you can specify an explicit port)?
Reiner
06-11-2003 12:27 AM
You can specify a port if you want with the command 'flow permanent'.
This tells the CSS not to timeout those connections.
GILLES(config)# flow permanent ?
port1 First tcp port to not be reclaimed by flowmgr
port10 Tenth tcp port to not be reclaimed by flowmgr
port2 Second tcp port to not be reclaimed by flowmgr
port3 Third tcp port to not be reclaimed by flowmgr
port4 Fourth tcp port to not be reclaimed by flowmgr
port5 Fifth tcp port to not be reclaimed by flowmgr
port6 Sixth tcp port to not be reclaimed by flowmgr
port7 Seventh tcp port to not be reclaimed by flowmgr
port8 Eighth tcp port to not be reclaimed by flowmgr
port9 Ninth tcp port to not be reclaimed by flowmgr
GILLES(config)# flow permanent port1 80
But the 11500 has the advantage that you can set the timeout for each content rule with the 'flow-timeout-multiplier' which is independent from the 'flow permanent' command.
GILLES(config)# owner gilles
GILLES(config-owner[gilles])# content WWW
GILLES(config-owner-content[gilles-WWW])# flow-timeout-multiplier ?
GILLES(config-owner-content[gilles-WWW])# flow-timeout-multiplier 20
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide