Cisco Support Community

Service hits not hitting my source group

I've run into an interesting problem with a TCP application.

I have a content rule setup to balance TCP traffic to two servers. This is a one-armed configuration so I am NAT/PAT'ing traffic using a source group.

When the TCP session is trying to be established, I see hits to the service itself, but not to the group with that same destination service configured.

I've run sniffer traces to look at the traffic and verified that the CSS seems to be dropping the traffic.

I tried a telnet from my PC to the virtual IP and TCP port, and that traffic seemed to route perfectly, but traffic from the devices that this configuration was meant for is being dropped.

The only difference I can see between my telnet TCP socket and the actual devices in question is that they are sending a TCP window size of zero. Could the CSS be seeing this as invalid?

When the devices are pointed directly at the server, they connect fine.

Any ideas?

Cisco Employee

Re: Service hits not hitting my source group

The window size of zero is not good.

It tells the CSS it can't send any single byte on this connection and this could be seen as a DoS attack.

So, it is definitely your problem.


CreatePlease to create content