Re: CSS 11052 - syn & synack

jose.neves · ‎01-07-2004

I have 2 CSS 11052 making server load balancing at layer 3 (with four web servers). I have a VIP addr to talk with clients and 2 FW1 "next generation) in Win200 servers between the CSS and the clients. My clients have some problems in the the establish of the session (http or https). When the session are established they work well.

With a sniffer near the client i saw the client send 2, 3, or more "syn" till they have the "synack" and the session are established.

With a sniffer between the CSS and the web servers i saw the "syn's" that are sent by the client and i saw "synack" for every "syn" till the session are established.

Where are the "synack" sent by the web servers?

Any idea?

Gilles Dufour · ‎01-08-2004

are the servers directly connected to the CSS ?

Is the CSS the default gateway for the servers ?

Can the server bypass the CSS ?

What you have to make sure is that the server response goes through the CSS.

Check the destination mac address in the syn/ack and make sure this is the CSS.

Do you have ACL on the CSS ?

If so try to disable them.

Can we have the config of the CSS ? content rules and services.

Are the services seen as alive ?

Can you ping the VIP ?

Any transition with the service ?

As you can see there are many possibilities.

I would suggest to start by sending the config and a 'sho summary' and 'sho serv summary'.

Also make sure traffic goes back to the CSS.

Gilles.

jofleming · ‎01-26-2004

I am curious as to why you asked if ACL was enabled.

I have a similar problem where I have web clients that access the Internet via a 11050. The client sends a SYN, the web server responds with SYNACK, the client then sends ACK. However, a sniffer on the Internet side of the CSS shows the CSS dropped the final ACK.

If I disable ACLs, the problem disappears.

Is there any relation?

jose.neves · ‎01-08-2004

The servers are connected to a 3524XL switch.

The CSS is the default gateway to the servers.

The server can bypass the CSS if we change the gateway, because the firewalls are in the same network.

I don´t have any ACL in the CSS

The services are alive.

I can ping the VIP.

CONFIG:

CSS-1A# version

Version: ap0500033 (5.00 Build 33)

Flash (Locked): 5.00 Build 33

Flash (Operational): 5.00 Build 33

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

SSH Server

CSS-1A# sh boot

!************************ BOOT CONFIG ************************

ip address 192.168.7.242

subnet mask 255.255.255.0

primary boot-file ap0500033

primary boot-type boot-via-disk

CSS-1A# sh run

!Generated on 02/26/2003 19:32:32

!Active version: ap0500033

configure

!*************************** GLOBAL ***************************

ip redundancy

no restrict web-mgmt

no restrict xml

restrict ftp

restrict telnet

restrict user-database

restrict snmp

app session 192.168.100.2

app

ip route 0.0.0.0 0.0.0.0 192.168.1.254 1

!************************* INTERFACE *************************

interface e1

phy 100Mbits-FD

bridge vlan 3

description "HeartBeat"

interface e2

phy 100Mbits-FD

bridge vlan 2

redundancy-phy

description "UP-Link to FW01N1 via Switch-3A"

interface e3

phy 100Mbits-FD

bridge vlan 2

interface e4

phy 100Mbits-FD

bridge vlan 2

interface e5

phy 100Mbits-FD

bridge vlan 2

interface e6

phy 100Mbits-FD

bridge vlan 2

interface e7

phy 100Mbits-FD

bridge vlan 2

interface e8

phy 100Mbits-FD

bridge vlan 4

!************************** CIRCUIT **************************

circuit VLAN3

ip address 192.168.100.1 255.255.255.0

redundancy-protocol

circuit VLAN2

redundancy

ip address 192.168.1.250 255.255.255.0

circuit VLAN4

ip address 10.6.1.60 255.255.255.128

!************************** SERVICE **************************

service WEB01_HTTP

ip address 192.168.1.31

keepalive type tcp

keepalive port 80

keepalive frequency 15

keepalive maxfailure 2

active

service WEB01_HTTP&HTTPS

ip address 192.168.1.31

keepalive frequency 15

keepalive maxfailure 2

active

service WEB01_HTTPHEADwebinfo

ip address 192.168.1.31

keepalive type script ap-kal-httplist "192.168.1.31 /webinfo.asp"

keepalive frequency 15

keepalive maxfailure 2

active

service WEB01_HTTPS

ip address 192.168.1.31

keepalive type tcp

keepalive port 443

keepalive frequency 15

keepalive maxfailure 2

active

service WEB02_HTTP

ip address 192.168.1.32

keepalive type tcp

keepalive port 80

keepalive frequency 15

keepalive maxfailure 2

active

service WEB02_HTTP&HTTPS

ip address 192.168.1.32

keepalive frequency 15

keepalive maxfailure 2

active

service WEB02_HTTPHEADwebinfo

ip address 192.168.1.32

keepalive type script ap-kal-httplist "192.168.1.32 /webinfo.asp"

keepalive frequency 15

keepalive maxfailure 2

active

service WEB02_HTTPS

ip address 192.168.1.32

keepalive type tcp

keepalive port 443

keepalive frequency 15

keepalive maxfailure 2

active

service WEB03_HTTP

ip address 192.168.1.33

keepalive type tcp

keepalive port 80

keepalive frequency 15

keepalive maxfailure 2

active

service WEB03_HTTP&HTTPS

ip address 192.168.1.33

keepalive frequency 15

keepalive maxfailure 2

active

service WEB03_HTTPHEADwebinfo

ip address 192.168.1.33

keepalive type script ap-kal-httplist "192.168.1.33 /webinfo.asp"

keepalive frequency 15

keepalive maxfailure 2

active

service WEB03_HTTPS

ip address 192.168.1.33

keepalive type tcp

keepalive port 443

keepalive frequency 15

keepalive maxfailure 2

active

service WEB04_HTTP

ip address 192.168.1.34

keepalive type tcp

keepalive port 80

keepalive frequency 15

keepalive maxfailure 2

active

service WEB04_HTTP&HTTPS

ip address 192.168.1.34

keepalive frequency 15

keepalive maxfailure 2

keepalive type script ap-kal-dcheck "192.168.1.34"

active

service WEB04_HTTPHEADwebinfo

ip address 192.168.1.34

keepalive type script ap-kal-httplist "192.168.1.34 /webinfo.asp"

keepalive frequency 15

keepalive maxfailure 2

active

service WEB04_HTTPS

ip address 192.168.1.34

keepalive type tcp

keepalive port 443

keepalive frequency 15

keepalive maxfailure 2

active

!*************************** OWNER ***************************

owner www.cidadebcp.pt

content Rule_HTTP

vip address 192.168.1.100

protocol tcp

port 80

advanced-balance sticky-srcip

add service WEB01_HTTP&HTTPS

add service WEB02_HTTP&HTTPS

add service WEB03_HTTP&HTTPS

add service WEB04_HTTP&HTTPS

active

content Rule_HTTPS

vip address 192.168.1.100

protocol tcp

port 443

advanced-balance sticky-srcip

add service WEB02_HTTP&HTTPS

add service WEB01_HTTP&HTTPS

add service WEB03_HTTP&HTTPS

add service WEB04_HTTP&HTTPS

active

SHOW SUMMARY

CSS-1A# sh summ

Global Bypass Counters:

No Rule Bypass Count: 1406999

Acl Bypass Count: 0

Owner Content Rules State Services Service Hits

www.?????????.pt Rule_HTTP Active WEB01_HTTP&HTTPS 23851961

WEB02_HTTP&HTTPS 23432601

WEB03_HTTP&HTTPS 25224983

WEB04_HTTP&HTTPS 20882126

Rule_HTTPS Active WEB01_HTTP&HTTPS 34624556

WEB02_HTTP&HTTPS 32311666

WEB03_HTTP&HTTPS 33279661

WEB04_HTTP&HTTPS 30738365

SHOW SERV SUMMARY

CSS-1A# show serv summ

Service not found

I hope that this information is enough to you.

If you want i can send you the same information by mail. Tell me if necessary.

Gilles Dufour · ‎01-09-2004

could you send me a topology map and the sniffer traces by email - gdufour@cisco.com