Support Center > Search Results > SecureKnowledge Details
IPv6 TCP connections that pass through the Security Group on a Scalable Chassis experience a 3-5 second delay Technical Level
Symptoms
  • IPv6 TCP connections that pass through the Security Group on a Scalable Chassis experience a 3-5 second delay.

  • The tcpdump packet capture shows asymmetric traffic flow for distribution of return packets in the IPv6 TCP connections.

  • The Layer 4 distribution mode is disabled.

  • This issue does not happen with IPv4 connections that pass through the same pair of interfaces in the same direction.

Cause

The current configuration of the inbound and outbound interface is "policy-external", which requires the connections to undergo the distribution correction.

Example Scenario of an IPv6 Connection:

[Client] <===> (bond1.33) [Security Group on Scalable Chassis] (bond1.22) <===> [Server]

 Connection Source (Client) Destination (Server)
IPv6 Address 2001:0DB8:3333:4444:5555:6666:7777:8888 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF
TCP Port 62318 443

The syntax for the tcpdump packet capture on the Security Group:

g_tcpdump -mcap -w tcpdump_vlan22.cap -ennni bond1.22 host 2001:0DB8:3333:4444:5555:6666:7777:8888 and host 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF

The captured traffic on the Security Group shows the TCP three-way handshake packet exchange (note SGM number and timestamp is shown for each packet):

  1. SGM 1_03 08:27:19 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 -> 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 SYN

  2. SGM 1_01 08:27:19 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 -> 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 SYN/ACK

  3. SGM 1_01 08:27:22 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 -> 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 SYN/ACK

  4. SGM 1_01 08:27:22 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 -> 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 SYN/ACK

  5. SGM 1_03 08:27:22 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 -> 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 SYN

  6. SGM 1_03 08:27:22 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 -> 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 SYN/ACK

  7. SGM 1_03 08:27:22 2001:0DB8:3333:4444:5555:6666:7777:8888 TCP port 62318 -> 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF TCP port 443 ACK

There is a three-second delay (between the 2nd and 3rd packets) in SGM 1_03 that receives the TCP [SYN-ACK] packet because it tries to distribute this TCP [SYN-ACK] packet to SGM 1_01, which is the wrong SGM in this case.

Output of the "dxl calc" command for the client-to-server direction packet for the inbound interface shows that the outbound packet should be distributed to SGM 1_03:

dxl calc 2001:0DB8:3333:4444:5555:6666:7777:8888  2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF bond1.33

Output of the "dxl calc" command for the server-to-client direction packet for the outbound interface shows that the outbound packet should be distributed to SGM 1_01, therefore requiring a correction:

dxl calc 2001:0DB8:3333:4444:CCCC:DDDD:EEEE:FFFF  2001:0DB8:3333:4444:5555:6666:7777:8888 bond1.22


Solution
Note: To view this solution you need to Sign In .