As described in an earlier chapter, Asymmetric Routing is one of the reasons that auto-discovery for a TCP session expected to be optimized fails due to network routing related issues:
Figure 5.73. Different forms of asymmetric routing.
.--------. | |<---------------------------------------. | |-----------. SYN/ACK+ | | | ACK v | | | .-------------. .-------------. | | | | | | .--------. | | SYN | | SYN+ | | SYN+ | | | Client |-------->| Client-side |--------->| Server-side |-------->| Server | | |<--------| Steelhead |<---------| Steelhead |<--------| | | | SYN/ACK | | SYN/ACK+ | | SYN/ACK '--------' | | | | '-------------' | | | | | | | | | | | | | | | | | |<------------------------------------' | | | '-------------' SYN/ACK | | | ACK ^ | | |------------' | | |<---------------------------------------------------------------' '--------' SYN/ACK
At the top the SYN/ACK+ sent from the server-side Steelhead appliance bypasses the client-side Steelhead appliance, that is called Client Side Asymmetry.
When the SYN/ACK sent from the server bypasses the server-side Steelhead appliance, that is called Server Side Asymmetry.
When the SYN/ACK sent from the server bypasses both the server-side and client-side Steelhead appliance Steelhead appliance, that is called Complete Asymmetry.
The solution to resolve asymmetric routing issues is simple: Make sure that all traffic goes through the server-side and the client-side Steelhead appliance. This can be done by adding additional by-pass cards in the Steelhead appliance to cover all the links going out of a site, or by rolling out multiple Steelhead appliances per site and to use Connection Forwarding to inform the other Steelhead appliances that all traffic for this TCP session should be forwarded to this Steelhead appliance.
The last form of Asymmetric Routing is SYN Retransmit, which happens when the SYN+ packet does not get answered by either the server or another Steelhead appliance, but when a normal TCP SYN packet does get answered by the server.
When asymmetric traffic is detected, the IP addresses pair gets added to the asymmetric routing table and is passed-through for an interval to normally establish unoptimized TCP sessions.
Figure 5.74. Asymmetric routing table via the CLI
SH # show in-path asym-route-tab [IP 1] [IP 2] [reason] [timeout (sec)] [created] [last used] 10.0.1.1 192.168.1.1 no-SYNACK 86237 (07/03/12 12:34:51) (07/03/12 12:34:51) 10.0.1.1 192.168.1.1 invalid-SYNACK 55035 (07/03/12 18:46:04) (07/03/12 20:26:48) 10.0.1.1 192.168.1.1 bad-RST 86350 (07/17/12 11:14:29) (07/17/12 11:14:30) 10.0.1.1 192.168.1.1 probe-filtered(not-AR) 298 (07/03/12 11:57:39) (07/03/12 11:57:39)
Figure 5.75. Normal setup of an optimized TCP session on the network map
.--------. | | .-------------. .-------------. | | SYN | | SYN+ | | SYN+ .--------. | Client |-------->| Client-side |--------->| Server-side |-------- >| Server | | | SYN/ACK | Steelhead | SYN/ACK+ | Steelhead | SYN/ACK | | | |<--------- |<---------| |<---------| | | | | | | | '--------' | | | | '-------------' | | '-------------' '--------'
With normal auto-discovery, you should see the naked SYN packet on the LAN interface, the SYN+ packet on the WAN interfaces and the SYN/ACK+ on the WAN interfaces, the SYN+ again and a SYN/ACK on the server-side Steelhead appliance LAN interface, a SYN/ACK+ on the WAN interfaces, some traffic on port 7800 on the WAN interfaces and then a ACK on the LAN interfaces of the server-side Steelhead appliance and then a SYN/ACK and an ACK on the client-side Steelhead appliance LAN interface.
Figure 5.76. Auto-discovery for of an optimized TCP session - Flow of packets
Client CSH SSH Server 1 ----- SYN -----> 2 ----- SYN+ -----> 3 <--- SYN/ACK+ --- 4 ----- SYN+ -----> 5 <--- SYN/ACK ---- 6 <--- SYN/ACK+ --- 7 -- Setup Inner -> 8 ----- ACK ------> 9 <--- SYN/ACK --- 10 ----- ACK ----->
On the wire, it will look like this:
Figure 5.77. Auto-discovery for an optimized TCP session - tcpdump
CSH LAN 12:50:33.020243 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [S], seq 1526534172, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3783247869 ecr 0,sackOK,eol], length 0 12:50:33.153146 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 4133019662, ack 152653 \ 4173, win 5792, options [mss 1460,sackOK,TS val 6324752 ecr 3783247869,nop,wscale 2], \ length 0 12:50:33.156482 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 65535, op \ tions [nop,nop,TS val 3783247998 ecr 6324752], length 0 CSH WAN 12:50:33.020331 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [S], seq 1526534172, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3783247869 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 12:50:33.153021 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 20020520, ack 15265341 \ 73, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3783247869 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 12:50:33.153061 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 20020520, ack 15265341 \ 73, win 65535, options [mss 1460,nop,wscale 3,TS val 3783247869 ecr 0,sackOK,rvbd-prob \ e AD CSH:10.0.1.6 SSH:192.168.1.6:7800 11110a000106c0a801061e78,rvbd-probe EAD 0e3d,no \ p,eol], length 0 SSH WAN 12:33:06.883718 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [S], seq 1526534172, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3783247869 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 12:33:06.883823 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 20020520, ack 15265341 \ 73, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3783247869 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 12:33:06.884217 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 20020520, ack 15265341 \ 73, win 65535, options [mss 1460,nop,wscale 3,TS val 3783247869 ecr 0,sackOK,rvbd-prob \ e AD CSH:10.0.1.6 SSH:192.168.1.6:7800 11110a000106c0a801061e78,rvbd-probe EAD 0e3d,no \ p,eol], length 0 SSH LAN 12:33:06.884044 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [S], seq 2724579398, win 5840, o \ ptions [mss 1460,sackOK,TS val 4294837098 ecr 0,nop,wscale 2,rvbd-probe AD CSH:10.0.1. \ 6 01010a0001060005,rvbd-probe EAD 0c05,nop,eol], length 0 12:33:06.884131 IP 192.168.1.1.50 > 10.0.1.1.61284: Flags [S.], seq 3757738477, ack 272457 \ 9399, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1624809945 ecr 429483709 \ 8], length 0 12:33:06.884177 IP 10.0.1.1.61284 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 1460, opt \ ions [nop,nop,TS val 4294837098 ecr 1624809945], length 0
Client-side Asymmetry happens when the return traffic from the server-side Steelhead appliance bypasses the client-side Steelhead appliance and goes directly back to the client.
Figure 5.78. Client-side Asymmetry on the network map
.--------. | |<--------------------------------------. | |-----------. SYN/ACK+ | | | ACK v | | | .-------------. .-------------. | | SYN | | SYN+ | | .--------. | Client |-------->| Client-side |-------->| Server-side | | Server | | | | Steelhead | | Steelhead | | | | | | | | | '--------' | | | | '-------------' | | '-------------' '--------'
With Client-side Asymmetry, the packets seen are the naked SYN packet on the LAN interface, the SYN+ packet on the WAN interfaces, a SYN/ACK+ on the WAN interface of the server-side Steelhead appliance and an ACK on the LAN interface of the client-side Steelhead appliance.
Figure 5.79. Client-side Asymmetry - Flow of packets
Client CSH SSH Server 1 ----- SYN -----> 2 ----- SYN+ -----> 3 <---------------/ /-- SYN/ACK+ ----- 4 <---------------/ /-- SYN/ACK+ ----- 5 ----- ACK --------------------------------------------->
On the wire, it will look like this:
Figure 5.80. Client-side Asymmetry on the wire
CSH LAN 12:42:20.243577 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [S], seq 2702983144, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3782775016 ecr 0,sackOK,eol], length 0 12:42:20.314239 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [.], seq 2702983145, ack 2002052 \ 1, win 65535, options [nop,nop,TS val 3782775083 ecr 3782775016], length 0 CSH WAN 12:42:20.243692 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [S], seq 2702983144, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3782775016 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 12:42:20.314349 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [.], seq 2702983145, ack 2002052 \ 1, win 65535, options [nop,nop,TS val 3782775083 ecr 3782775016], length 0 SSH WAN 12:24:53.637086 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [S], seq 2702983144, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3782775016 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 12:24:53.637205 IP 192.168.1.1.50 > 10.0.1.1.61242: Flags [S.], seq 20020520, ack 27029831 \ 45, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3782775016 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 12:24:53.637713 IP 192.168.1.1.50 > 10.0.1.1.61242: Flags [S.], seq 20020520, ack 27029831 \ 45, win 65535, options [mss 1460,nop,wscale 3,TS val 3782775016 ecr 0,sackOK,rvbd-prob \ e AD CSH:10.0.1.6 SSH:192.168.1.6:7800 11110a000106c0a801061e78,rvbd-probe EAD 0e3d,no \ p,eol], length 0 12:24:53.707892 IP 10.0.1.1.61242 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 65535, op \ tions [nop,nop,TS val 3782775083 ecr 3782775016], length 0
Figure 5.81. Client-side Asymmetry in the logs
CSH kernel: [intercept.WARN] asymmetric routing between 10.0.1.1:61242 and 192.168.1.1:50 \ detected (no SYN/ACK)
Service-side Asymmetry happens when the return traffic from the server bypasses the server-side Steelhead appliance and goes directly to the client-side Steelhead appliance.
Figure 5.82. Server-side Asymmetry on the network map
.--------. | | .-------------. .-------------. | | SYN | | SYN+ | | SYN+ .--------. | Client |-------->| Client-side |--------->| Server-side |-------->| Server | | | | Steelhead |<---------| Steelhead | | | | | | | SYN/ACK+ | | '--------' | | | | '-------------' | | | | | | | | | | | | | | |<------------------------------------' | | '-------------' SYN/ACK '--------'
With Server-side Asymmetry, the packets seen are the naked SYN packet on the LAN interface, the SYN+ and SYN/ACK+ packets on the WAN interfaces, a SYN+ on the LAN interface of the server-side Steelhead appliance and then a SYN/ACK on the client-side Steelhead appliance WAN interface.
Figure 5.83. Server-side Asymmetry - Flow of packets
Client CSH SSH Server 1 ----- SYN -----> 2 ----- SYN+ -------> 3 <---- SYN/ACK+ ---- 4 ----- SYN+ -----> 5 <------------------/ /--- SYN/ACK -----
On the wire, it will look like this:
Figure 5.84. Server-side Asymmetry on the wire
CSH LAN 10:51:35.610009 IP 10.0.1.1.65116 > 192.168.1.1.50: Flags [S], seq 3361390561, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3862289659 ecr 0,sackOK,eol], length 0 10:51:35.768643 IP 192.168.1.1.50 > 10.0.1.1.65116: Flags [S.], seq 64094818, ack 45721004 \ 4, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 493782756 ecr 1312273], len \ gth 0 CSH WAN 10:51:35.610117 IP 10.0.1.1.65116 > 192.168.1.1.50: Flags [S], seq 3361390561, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3862289659 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 10:51:35.766684 IP 192.168.1.1.50 > 10.0.1.1.65116: Flags [S.], seq 20020520, ack 33613905 \ 62, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3862289659 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 10:51:35.769341 IP 192.168.1.1.50 > 10.0.1.1.65116: Flags [S.], seq 64094818, ack 45721004 \ 4, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 493782756 ecr 1312273], len \ gth 0 SSH WAN 10:33:56.895288 IP 10.0.1.1.65116 > 192.168.1.1.50: Flags [S], seq 3361390561, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3862289659 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 10:33:56.895407 IP 192.168.1.1.50 > 10.0.1.1.65116: Flags [S.], seq 20020520, ack 33613905 \ 62, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3862289659 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 SSH LAN 10:33:56.896551 IP 10.0.1.1.65116 > 192.168.1.1.50: Flags [S], seq 457210043, win 5840, op \ tions [mss 1460,sackOK,TS val 1312273 ecr 0,nop,wscale 2,rvbd-probe AD CSH:10.0.1.6 01 \ 010a0001060005,rvbd-probe EAD 0c05,nop,eol], length 0
Figure 5.85. Server-side Asymmetry in the logs
CSH kernel: [intercept.WARN] asymmetric routing between 192.168.1.1:50 and 10.0.1.1:65116 \ detected (invalid SYN/ACK)
Complete Asymmetry happens when the return traffic from the server bypasses both the Steelhead appliances and goes directly to the client.
Figure 5.86. Complete Asymmetry on the network map
.--------. | | .-------------. .-------------. | | SYN | | SYN+ | | SYN+ .--------. | Client |-------->| Client-side |--------->| Server-side |-------->| Server | | | | Steelhead |<---------| Steelhead | | | | | | | SYN/ACK+ | | '--------' | | | | '-------------' | | | '-------------' | | | RST ^ | | |------------' | | |<---------------------------------------------------------------' '--------' SYN/ACK
With Complete Asymmetry, the packets seen are the naked SYN packet on the LAN interface, the SYN+ packet on the WAN sides and the SYN/ACK+ on the WAN interface, a SYN+ on the server-side Steelhead appliance LAN interface and a RST on the client-side Steelhead appliance LAN interface.
Figure 5.87. Complete Asymmetry - Flow of packets
Client CSH SSH Server 1 ----- SYN -----> 2 ----- SYN+ -------> 3 <---- SYN/ACK+ ---- 4 ----- SYN+ -----> 5 <---------------/ /-------------------/ /--- SYN/ACK ----- 6 ----- RST ----------------------------------------------->
On the wire, it will look like this:
Figure 5.88. Complete Asymmetry on the wire
CSH LAN 11:14:29.879623 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [S], seq 3888516971, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3863658656 ecr 0,sackOK,eol], length 0 11:14:29.953403 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [R], seq 1895386924, win 0, leng \ th 0 CSH WAN 11:14:29.879773 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [S], seq 3888516971, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3863658656 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 11:14:29.953521 IP 192.168.1.1.50 > 10.0.1.1.65268: Flags [S.], seq 20020520, ack 38885169 \ 72, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3863658656 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 11:14:30.038356 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [R], seq 1895386924, win 0, leng \ th 0 SSH WAN 10:56:51.168188 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [S], seq 3888516971, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3863658656 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 10:56:51.168305 IP 192.168.1.1.50 > 10.0.1.1.65268: Flags [S.], seq 20020520, ack 38885169 \ 72, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 3863658656 ecr 0,sackOK,n \ op,nop,rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0 10:56:51.317550 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [R], seq 1895386924, win 0, leng \ th 0 SSH LAN 10:56:51.170499 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [S], seq 1895386923, win 5840, o \ ptions [mss 1460,sackOK,TS val 2686747 ecr 0,nop,wscale 2,rvbd-probe AD CSH:10.0.1.6 0 \ 1010a0001060005,rvbd-probe EAD 0c05,nop,eol], length 0 10:56:51.317623 IP 10.0.1.1.65268 > 192.168.1.1.50: Flags [R], seq 1895386924, win 0, leng \ th 0
Figure 5.89. Complete Asymmetry in the logs
CSH kernel: [intercept.WARN] asymmetric routing between 10.0.1.1 and 192.168.1.1 detected \ (bad RST)
SYN retransmit happens when there is no answer from the SYN+ packets but when the naked SYN is forwarded it is answered by a SYN/ACK.
Figure 5.90. Complete Asymmetry on the network map
.--------. | | .-------------. .-------------. | | SYN | | SYN+ | | | Client |-------->| Client-side |---->... | Server-side | | | | Steelhead |--------->| Steelhead | | | | | SYN | | | | | |<---------| | | | | | SYN/ACK '-------------' | | '-------------' '--------'
With TCP SYN retransmit, the packets seen are the naked SYN packet on the LAN interface, two SYN+ packets and a naked SYN packet on the WAN interface of the client-side Steelhead appliance WAN interface, only the naked SYN on the server-side Steelhead appliance WAN interface and a SYN/ACK on the client-side and server-side Steelhead appliances WAN interface.
Figure 5.91. TCP SYN retransmit - Flow of packets
Client CSH SSH Server 1 ----- SYN -----> 2 ----- SYN+ --->... 3 ----- SYN+ --->... 4 ----- SYN ----------------------------> 5 <------------------------------------------- SYN/ACK -----
On the wire, it will look like this:
Figure 5.92. TCP SYN retransmit on the wire
CSH LAN CSH # tcpdump -ni lan0_0 port 50 tcpdump: WARNING: lan0_0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lan0_0, link-type EN10MB (Ethernet), capture size 300 bytes 11:48:48.001687 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779692639 ecr 0,sackOK,eol], length 0 11:48:49.055780 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779693654 ecr 0,sackOK,eol], length 0 11:48:50.160832 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779694716 ecr 0,sackOK,eol], length 0 11:48:50.294530 IP 192.168.1.1.50 > 10.0.1.1.60961: Flags [S.], seq 3036249837, ack 116570 \ 4203, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1496970988 ecr 377969471 \ 6], length 0 11:48:50.297878 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 65535, op \ tions [nop,nop,TS val 3779694847 ecr 1496970988], length 0 CSH WAN CSH # tcpdump -ni wan0_0 port 50 tcpdump: WARNING: wan0_0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wan0_0, link-type EN10MB (Ethernet), capture size 300 bytes 11:48:48.001814 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779692639 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 11:48:49.055894 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779693654 ecr 0,sackOK,nop,nop,rvbd-pro \ be AD CSH:10.0.1.6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0 11:48:50.160937 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779694716 ecr 0,sackOK,eol], length 0 11:48:50.294456 IP 192.168.1.1.50 > 10.0.1.1.60961: Flags [S.], seq 3036249837, ack 116570 \ 4203, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1496970988 ecr 377969471 \ 6], length 0 11:48:50.297927 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 65535, op \ tions [nop,nop,TS val 3779694847 ecr 1496970988], length 0 SSH WAN SSH # tcpdump -ni wan0_0 port 50 tcpdump: WARNING: wan0_0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wan0_0, link-type EN10MB (Ethernet), capture size 300 bytes 11:48:50.230826 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [S], seq 1165704202, win 65535, \ options [mss 1460,nop,wscale 3,nop,nop,TS val 3779694716 ecr 0,sackOK,eol], length 0 11:48:50.234423 IP 192.168.1.1.50 > 10.0.1.1.60961: Flags [S.], seq 3036249837, ack 116570 \ 4203, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1496970988 ecr 377969471 \ 6], length 0 11:48:50.365821 IP 10.0.1.1.60961 > 192.168.1.1.50: Flags [.], seq 1, ack 1, win 65535, op \ tions [nop,nop,TS val 3779694847 ecr 1496970988], length 0
Figure 5.93. TCP SYN retransmit in the logs
CSH kernel: [intercept.WARN] it appears as though probes from 10.0.1.1 to 192.168.1.1 are \ being filtered. Passing through connections between these two hosts.