CacheFlow is reporting bypassed traffic that is not captured in the dynamic bypass list

book

Article ID: 165432

calendar_today

Updated On:

Products

CF-5000 CF-500

Issue/Introduction

This specific problem occurs when the CacheFlow is in a transparent deployment, reflect-client-ip is enabled and receives reverse asymmetrically routed traffic. The CacheFlow has several triggers that cause traffic to be dynamically bypassed. These include User policy, Asymmetrically routed traffic, Non-HTTP traffic, Connect errors, Receive errors and 5xx errors.

In the traditional sense Asymmetrically routed traffic is defined by client traffic that gets proxied by the CacheFlow and sent to the OCS but the return traffic from the OCS gets sent directly to the client. The CacheFlow will add this traffic to the dynamic bypass list when it detects a TCP RST packet sent by a client involved in the asymmetric routing.

Reverse asymmetric routing happens when the CacheFlow is not involved in the initiation of the connection to the OCS but return traffic from the OCS is sent to the CacheFlow. Currently there are no triggers defined in the CacheFlow to capture this problem. BlueCoat is investigating the possibility of adding a new trigger.

Resolution

To troubleshoot and resolve the reverse asymmetrical routing problem the following steps should be performed

1. Disable dynamic bypass
#conf t
#(config)proxy-services
#(config proxy-services)dynamic-bypass
#(config dynamic-bypass)disable

2. Clear dynamic bypass list
#(config dynamic-bypass)clear

3. Change resource-overload-action to drop
#(config)resource-overflow-action drop

4. Look to see if there is any bypassed traffic in the GUI's monitor page and via CLI command
#show proxy-services dynamic-bypass

5. If there is bypassed traffic visible in the GUI but not in the CLI take a Packet Capture (PCAP) on the CacheFlow with the following filter. This will capture only SYN and SYN/ACK packets
#pcap filter expr "tcp[13] & 2 = 2"
#pcap start

6. After a sufficient amount of time has passed stop the PCAP and transfer it off the box to a system with WireShark installed
This can be done from the CLI:
#pcap stop
#pcap transfer ftp://x.x.x.x/pcap.pcap  <username> <password>

Or from the GUI's advanced URL:
https://x.x.x.x:8082/PCAP/statistics

7. Once downloaded apply the following filter to the Packet Capture ***Note: eth.addr is the MAC address of the CacheFlow interface where Client Traffic traverses***
tcp.port eq 80 and (eth.addr eq 00:00:00:00:00:00 and tcp.flags.syn eq 1 and  tcp.flags.ack eq 1)

8. Sort the packets by Destination Port

9. Analyze the PCAP by looking for SYN-ACK packets (OCS -> Client) that have the same destination port when traversing the CacheFlow. This indicates that the traffic is bypassed



10. Fix the problem at the source. This will most likely be a mis-configured access list.

Attachments