Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
0
Helpful
3
Replies

Huge Connection RST after put ACE4710 in middle.

n.poongsawad
Level 1
Level 1

‎07-31-2013 10:56 PM

Hi Experts,

First of all, our error has persisted for a while on Developing section (Real-Server).

Overview of the configuration is .... We has client running web-service request to rserver though ACE4710. There is traditional VIP. After passing VIP before going to rserver we do NATed 1-to-1 (for some reason, for ease of deployment on existing environment). Then to rserver.

Problem raised when there is too much 'Connection Reset' with error logs of 'TCP Port numbers reused' and consequence of Error Connection Reset. If we inject much more web-client request then much more RST. Please see my captured packet from my enclosed files.

Our done action plan. We did bypass VIP then connect web-client directly through NAT then rserver. Error has not been found!!!

Is there any parameter or configuration we could tune?

Is any running-configure needed. I will pose asap.

Picture iluustrat our tested before bypassing VIP

Pict 1 - Behind LB

Behind_LB.png
Pict 2 - At LB
At_LB.png
Pict 3 - In front LB
InFrontOf_LB.png

Thank you for any suugestion in advance,
Nipat.p
Labels:
0 Helpful
3 Replies 3

Jorge Bejarano
Level 4
Level 4

‎07-31-2013 11:30 PM

Nipat,

Can you attach your current configuration?

I think it might be related to the way how you are using NAT.

Jorge

0 Helpful

n.poongsawad
Level 1
Level 1
In response to Jorge Bejarano

‎08-08-2013 08:28 AM

I solved as following after working with TAC

By default, the ACE removes the timestamp option parameter, but, the TCP implementation on Red Hat needs timestamp parameter to check whether the connection is new one(fast port reuse) or original one.  As the timestamp option parameter has been removed, so the Red Hat can’t handle the SYN for new connection(port reuse) correctly.

On ACE, parameter map ‘tcp-options timestamp allow’ will change ACE’s default behavior and ACE will not remove the timestamp option parameter from SYN packet.

Please add the lines into ACE configuration.

parameter-map type connection tcp-pm

  tcp-options timestamp allow

policy-map multi-match client-vips

  class VIP

    loadbalance vip inservice

    loadbalance policy LB-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL_PSERVICE_SERVER

    connection advanced-options tcp-pm

Nipat.p

0 Helpful

n.poongsawad
Level 1
Level 1
In response to n.poongsawad

‎08-08-2013 08:29 AM

adding

parameter-map type connection tcp-pm

  tcp-options timestamp allow

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card