topic Re: CSS ACK client's SYN when L4 LB? in Application Networking

CSS ACK client's SYN when L4 LB?

a12288 — Thu, 13 Sep 2007 13:49:59 GMT

IF I configure CSS do L4 LB (say, tcp-22 for SSH) and NAT as well, does CSS ACK client's SYN? or just forward client SYN to server? and does CSS changes sequence numbers? thanks a lot.

Re: CSS ACK client's SYN when L4 LB?

Diego Vargas — Thu, 13 Sep 2007 15:43:28 GMT

If the CSS is doing layer 4, it should not be spoofing, so pretty much will look at the SYN and based on the packet data decide which server should handle the request and pass the SYN to the server.

It will then wait for the server's SYN/ACK and pass it to the client.

The sequence number will remain the same when doing layer 4 LB.

Re: CSS ACK client's SYN when L4 LB?

a12288 — Thu, 13 Sep 2007 16:09:46 GMT

Thanks. That's what I thought, somehow, all of our servers (web, smtp) which are not load-balanced are having outstanding SYN_RECV connections (netstat -na | grep SYN_RECV), but those load-balanced servers (web, imap) does not show those SYN_RECV connections, it makes me wonder CSS is doing something, and all of servers, include CSS are behind FWSM, and we have configured embryonic limit to 1 to turn on TCP Intercept but so far have not seen any hits on TCP Intercept, any thoughts?

Re: CSS ACK client's SYN when L4 LB?

Gilles Dufour — Fri, 14 Sep 2007 07:54:13 GMT

If the server not-loadbalanced do not show too many SYN-RECV connections, I would say this is a good thing.

Why do you suspect the CSS ?

I would say capture a sniffer trace on the servers showing the SYN_RECV and try to match a SYN-RECV status to what you see in the trace.

You will then understand what is going on.

One more thing, if this was the opposite - loadbalancer server show lot of SYN_RECV, that could be CSS probes.

But you would see the src ip address being the CSS ?

Gilles.

Re: CSS ACK client's SYN when L4 LB?

a12288 — Fri, 14 Sep 2007 10:31:45 GMT

Of course not suspect CSS, just wonder if CSS would something more to protect the backend servers, and your guys just confirm that L4 would not do delay bind.

So if the NetPros did not see similar scenario here, I would say our non load balanced server is the target.

Re: CSS ACK client's SYN when L4 LB?

Gilles Dufour — Fri, 14 Sep 2007 11:35:06 GMT

ok, the CSS does something to protect the servers.

There is the dos feature.

If the tcp handshake does not complete in 16sec, the connection is reset.

You can do a 'show dos' to see if the CSS had to clean up connections.

Gilles.