4.13. LAN and WAN cable switched

The processing of new TCP sessions depends of which interface the naked SYN (TCP SYN packet without an auto-discovery probe) gets received. If the naked SYN comes in via the WAN interface, then the Steelhead appliance will not process the packet but just forward it, marking the pass-through session as SYN on WAN side. Only if the naked SYN comes in via the LAN interface, the Steelhead appliance will check what to do with it via the In-path Rules and, if allowed, perform auto-discovery for it.

If the Steelhead appliance is wrongly cabled, with the LAN interface to the WAN router and the WAN interface to the LAN switch, no traffic coming from the LAN will be optimized.

There are two ways to determine this issue is happening: A visual inspection and a tcpdump with ping approach.

4.13.1. Visual check

The instructions are very simple: Walk to the Steelhead appliance, find the cable connected to the LAN interface and follow it all the way to the next device. If it is the router you expect to be on the WAN interface, then the cable is swapped.

4.13.2. Tcpdump and ping check

This will require three CLI sessions on the Steelhead appliance.

In the first CLI session, run tcpdump on the LAN interface. In the second CLI session, run tcpdump on the WAN interface. In the third CLI session, ping the IP address of a host which traffic doesn't get optimized.

Figure 4.27. Three CLI sessions for troubleshooting

SH # tcpdump -ni lan0_0 '(icmp and host 10.0.1.1) or (vlan and icmp and host 10.0.1.1)'

SH # tcpdump -ni wan0_0 '(icmp and host 10.0.1.1) or (vlan and icmp and host 10.0.1.1)'

SH # ping -I 10.0.1.6 10.0.1.1

We expect this ICMP Echo Request traffic to show up on the tcpdump output of the lan0_0 interface. In the scenario where the LAN and WAN cables are swapped, the ICMP Echo Request and ICMP Echo Reply packets show up on the WAN interface.

4.13.2.1. ICMP Echo Request and Echo Reply show up on the WAN interface.

When both the ICMP Echo Request and ICMP Echo Reply packets are seen up on the WAN interface, which indicates that the host is located behind the WAN interface of the Steelhead appliance.

Figure 4.28. ICMP Echo Request and Echo Reply show up on the WAN interface.

SH # ping -I 10.0.1.6 10.0.1.1
PING 10.0.1.6 (10.0.1.6) from 10.0.1.6 : 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=0 ttl=63 time=2 ms
64 bytes from 10.0.1.1: icmp_seq=1 ttl=63 time=1 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=63 time=1 ms

SH # tcpdump -ni lan0_0 '(icmp and host 10.0.1.1) or (vlan and icmp and host 10.0.1.1)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan0_0, link-type EN10MB (Ethernet), capture size 96 bytes

SH # tcpdump -ni wan0_0 '(icmp and host 10.0.1.1) or (vlan and icmp and host 10.0.1.1)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan0_0, link-type EN10MB (Ethernet), capture size 96 bytes
08:22:05.703095 IP 10.0.1.6 > 10.0.1.1: ICMP echo request, id 9738, seq 0, length 64
08:22:05.719544 IP 10.0.1.1 > 10.0.1.6: ICMP echo reply, id 9738, seq 0, length 64
08:22:06.728721 IP 10.0.1.6 > 10.0.1.1: ICMP echo request, id 9738, seq 1, length 64
08:22:06.736897 IP 10.0.1.1 > 10.0.1.6: ICMP echo reply, id 9738, seq 1, length 64
08:22:07.752379 IP 10.0.1.6 > 10.0.1.1: ICMP echo request, id 9738, seq 2, length 64
08:22:07.762682 IP 10.0.1.1 > 10.0.1.6: ICMP echo reply, id 9738, seq 2, length 64

In this case it is clear that the host is on the WAN side of the Steelhead appliance and therefore the naked SYN packet never gets processed.