[c-nsp] Thousands of tcp sessions stuck in TIMEWAIT

Joe Freeman joe at netbyjoe.com
Sun May 15 08:49:55 EDT 2011 

It's all webvpn redirected traffic, from port 443 on the external interface
to sites all over, on various high ports.

I've also noticed that the sessions stuck in TIMEWAIT all show 0
retransmits, and the TIMEWAIT timer is always less than the clock timer
shown in the 'show tcp' output.

I'm really thinking it's a webvpn related bug, but I can't find one in the
bug tool for 12.4-24(T5) on the 1841 in the advsecurity feature set.

I about to the point where I'm going to create a TCL script and use the
event scheduler just to clear the TIMEWAIT sessions every 12 hours or so.

Thanks-
Joe

On Sun, May 15, 2011 at 2:57 AM, Keegan Holley <keegan.holley at sungard.com>wrote:

> what ports? can you post some of it?
>
>
>
> On Fri, May 13, 2011 at 8:46 PM, Kevin Graham <
> kgraham at industrial-marshmallow.com> wrote:
>
>> vty access lists along with login max-failure? (guessing somewhat blindly
>> without visibility into what the active tcb's were)
>>
>> [sent from my mobile]
>>
>> On May 11, 2011, at 7:47 AM, Joe Freeman <joe at netbyjoe.com> wrote:
>>
>> > I have a customer with an 1841 doing webvpn, running
>> advsecurity-12.4-24.T5.
>> > They have been randomly loosing the ability to connect to resources
>> through
>> > this unit.
>> >
>> > A show tcp brief reveals that there are thousands of sockets stuck in
>> > TIMEWAIT. In fact it took almost six minutes for the show tcp brief to
>> dump
>> > it's output to a file in flash:.
>> >
>> > A clear tcp tcb * will, of course wipe out all the connections and allow
>> the
>> > customer to resume making connections for a time.
>> >
>> > Anyone have any thoughts on how I should troubleshoot this further, or
>> even
>> > better, thoughts as to resolution?
>> >
>> > Thanks-
>> > Joe
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>

More information about the cisco-nsp mailing list