5.20. Network monitoring and network management systems

5.20.1. Network Management Systems

Network Management Systems and Network Monitoring Systems can be confused by the changes the Steelhead appliances make to the network. For example, the latency optimization might reply to requests much faster than the server would, giving the impression that the network and the server are fine.

Since there are two networks to be monitored now, an optimized and a non-optimized one, there should be two network management systems: One to monitor the services via the TCP sessions and one to monitor the services via the non-optimized TCP sessions. The unoptimized TCP sessions can be monitored by adding a pass-through in-path rule for traffic from that network management host on its local Steelhead appliance.

The two network management systems should give the same statuses for the remote machines or services, working, failure or unavailable. If there is a difference in the status, it means that there could be problem with a part of the network or with the services or with the optimization service.

5.20.2. Network Probing Systems

Network mappers and port scanners, like the nmap utility, work by sending out a large amount of TCP SYN packets to multiple ports on a single host or to a single port on multiple hosts, all during a short time. On an unoptimized network, this is cheap because the packets are small. On an optimized network, these TCP SYN packets will cause a lot of work to be done on the Steelhead appliances: Optimized TCP sessions will have to be setup and latency optimization will have to be initialized. As a result, the Steelhead appliance can generate alarms about connection-based admission control and high CPU.

OS Finger Printing will be incorrect because the TCP/IP stack the scanner is talking to is the one from the Steelhead appliance, not from the remote server.

The best practice is to exempt the traffic from port scanners and network mappers from being optimized via a pass-through in-path rule on the Steelhead appliance closest to it.

5.20.3. Spanning VLANs

The spanning feature on routers and switches allows all traffic coming into and going out via an interface or a VLAN to be copied and forwarded out via a physical interface or forwarded out via a spanning VLAN specifically defined for this kind of traffic.

In a network without Steelhead appliances, this forwarding over a VLAN work fine because there is often nothing in the path which worries about it except for some firewalls.

In a network with Steelhead appliances, if the traffic going over that spanning VLAN comes in touch with the Steelhead appliance it might confuse the Steelhead appliance in the following way:

  • The simplified routing feature might learn the MAC address on the wrong interface and forward the packets to the wrong interface.

  • The optimization service will count the packets double in its statistics in the list of Current Connections.

  • If the TCP SYN packets are forwarded through the Steelhead appliance again the real second TCP SYN of the client will be seen as the third TCP SYN and the Steelhead appliance will put that TCP session into pass-through too early.

If the spanning VLAN has to go over the WAN, make sure it leaves the local network without it touching the Steelhead appliance.

Figure 5.158. The right location for a spanning VLAN on a switch

     .-,(  ),-.    
  .-(          )-. 
 (       WAN      )
  '-(          ).-'
      '-.( ).-'    
          ^      __________    Steelhead       __________ 
          |     [          ]    _________     [          ]
          |     [          ]<--[_________]<---[          ]
          '-----[          ]                  [          ]
                [          ]<-----------------[          ]
                [_...__...o]    Spanning      [_...__....]
                   Router       VLAN vlan        Switch