Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
1
Replies

tcp-flow-timeout on outgoing connections

maelinou67
Level 1
Level 1

‎11-29-2013 12:30 AM

Hello,

We have clients connecting to a server, through a CSS.

The server, on some specific cases, has to connect to the clients (different port).

Since IP adresses are the same, the connection has to go through the CSS, which in this case is acting as gateway.

We're facing issues, because of teared down flows at CSS level ; we'd like to change the inactivity timeout, but can't find an easy way.

So far, the only thing I found, is to set a permanent port, but it's not really the best solution, as connections which were not closed correctly would accumulate in the system.

Would there be an easy way (I'd prefer to avoid having to create contents) for the outgoing flows, on a specific port, to have a different inactivity timeout than the default one ?

Thanks in advance for your help.

Cheers

Mael

Labels:
0 Helpful
1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-29-2013 06:01 AM

Hi Mael,

CSS will not break routed connections just going through it. 
 
 Here's what happens:
 

1) CSS gets a packet directed towards an IP which is not configured as VS. When it does, it creates a connection for that flow even if the  packet is not the original SYN of the three way handshake.

2) If no data is received on this connection for 16 seconds, it is moved to the free-flows list. Once it is there, the CSS will continue to  use the information located in it to forward traffic but the connection will be removed as soon as we need some room for new entries.

3) Once the connection is removed even from the free-flows list and that we get a new packet for the connection, you got back to point #1.  Since the CSS doesn't check for stateful information (AKA doesn't check if the first packet is a SYN).

So even if the idle timeout of the connections going through it are 16 seconds, a routed TCP flow through the CSS *will never  time out*.

For changing inctivity timeouts for loabbalanced connnections you can use the below command which needs to be applied to Content rule/source groups.

flow-timeout multiplier

Note: If you give number as 2, CSS will multiply it by 16 and actual timeout would be 32.

The permanent option is also good one but can be a problem if you have high traffic for that port. You can also use cmd-scheduler along with permanent port to clear the flows periodically.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card