Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
3
Replies

a CSS command that would show return traffic...

axfalk
Level 1
Level 1

‎11-10-2011 06:43 PM

We're running a pair of CSS's with a couple of back-end servers behind them. We could determine if the traffic is coming into the CSS by uing the sh flows command. However, this command will only show the connections from the CSS to the server, not back to the CSS, so if there's an asymetry in the flow, this command will not pick it up. Is there a similar command(s) that would show a return connection from back-end servers to the CSS?

Thanks..

Labels:
0 Helpful
3 Replies 3

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎11-11-2011 03:21 AM

Good morning,

No, there is not such a command, but you can easily confirm that there is no asymmetric traffic from the fact that connections work.

If the CSS doesn't see the full TCP handshake for a connection (which includes the client and server directions), it will close the connection and log a SYN attack.

On top of that, unless you are defining the servers as transparent, the CSS will apply NAT to the destination IP (from the VIP to the server), so, if there is asymmetric routing, the NAT is not undone for the return traffic, which will cause connections to fail.

I hope this helps

Daniel

0 Helpful

axfalk
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎11-16-2011 08:12 AM

Daniel, thanks for your reply. We had a case, where the default gateway configured on the back-end servers was wrong. Obviously, the users could not pull the web content, however, when I did sh flows, they looked OK, because the only showed the connections from the CSS to the server. So, is there a command that would have showen the connections from the server to the CSS not working and, therefore, would have picked up the assymetrical routing?

thanks again...

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to axfalk

‎11-17-2011 01:02 AM

As I mentioned, since the CSS is not seeing the full handshake, it should close the connection after a few seconds, so you would not even see it in the show flows as a established one.

Anyway, I'm afraid there is no command to easily diagnose these situations. The best way is to get a traffic capture on both sides of the CSS to see what's happening with the traffic.

Daniel

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card