Application Delivery (ADX)

Reply
Contributor
Posts: 24
Registered: ‎11-13-2009

how to set up no connection limit for a vip on serveriron si 400 ?

Hi ,

I am seeing a strange problem for a vip configured on the serveriron 400 , this how my configuration is :-

server real abc01 10.212.44.101
port http
port http url "GET /server-status"
port http server-id 1091
port http group-id  1 1
!
server real abc02 10.212.44.102
port http
port http url "GET /server-status"
port http server-id 1092
port http group-id  1 1
!
server real abc03 10.212.44.103
port http
port http url "GET /server-status"
port http server-id 1093
port http group-id  1 1
!
server real abc04 10.212.44.104
port http
port http url "GET /server-status"
port http server-id 1094
port http group-id  1 1

server virtual abc-vip23 10.212.23.78
sym-priority 200
port http
port http cookie-name "ServerID"
port http csw-policy "policy-adnfews"
port http csw
port http keep-alive
bind http abc01 http abc04 http abc02 http abc03 http

Everything is working fine , the vip is responding and is load balancing in a round robin fashion to all the servers, now this vip is suppose have a lot of traffic coming into it on port 80 from few specific ip's . so , for testing we set up a testserver and used a php script to send files 2k in size from 100 virtual machines on that testserver ( but each machine uses same ip as source ip when reaching the vip ) , the files starts to reach the vip and then go to its corresponding real server for some time and then just dies. whereas when i use the same testserver and go directly to the real server , it uploads all the files and does not stop.

so , i think there is some default limit on the foundry for no. of connections or concurrent connections that allows a source ip to have a limited no. of connections to the vip and i need to change it but i cannot findout anything on the security manuals of  si400 ( version 10 m ) to change that default setting. please help me out of this problem , it will be really helpful.

Thank you .

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: how to set up no connection limit for a vip on serveriron si 400 ?

hmmm good question.

First see "Maximum Concurrent Connection Limit Per Client" from the security manual (version 11.00 page 3-29 - I know you said ver 10 but I do not have that manual) - This will allow you set the max con connections to a real server per client

I cannot find what the default vlaue is though.

However I think that you maybe hitting a DOS limit. See "logging for DOS attacks" from the security manual. (Below is from version 11.00) and see if this is the case.

Also check

Displaying IP Address with Held Down Traffic (from TRL)







Logging for DoS Attacks

The following sections describe how to enable logging of DoS attacks.

Configuration Commands

Use the following commands to enable logging of TCP connection rate and attack rate.

Syntax:

ip tcp conn-rate <rate> attack-rate <rate>

Syntax:

ip tcp conn-rate-change <percentage> attack-rate <percentage>

Syntax:

server max-conn-trap <seconds>

Parameters

The

conn-rate

<rate> parameter specifies a threshold for the number of global TCP connections per second that

are expected on the ServerIron. A global TCP connection is defined as any packet that requires session

processing. For example, 1 SLB, 1 TCS, and 1 SYN-Guard connection would equal 3 global TCP connections,

since there are three different connections that require session processing.



NOTE:

The ServerIron counts only the new connections that remain in effect at the end of the one second

interval. If a connection is opened and terminated within the interval, the ServerIron does not include the

connection in the total for the server.

The



attack-rate

<rate> parameter specifies a threshold for the number of TCP SYN attack packets per second

that are expected on the ServerIron.









Contributor
Posts: 24
Registered: ‎11-13-2009

Re: how to set up no connection limit for a vip on serveriron si 400 ?

Thanks for your help .  i was able to solve the problem today but i have no explanation for it , all i did was took off content switching part from the virtual server and it started working fine , which is fine with me as i do not need content switching or server id cookie insertion for this virtual server.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook