Getting Abnormal SYN-Flood Messages on Citrix ADC

Getting Abnormal SYN-Flood Messages on Citrix ADC

book

Article ID: CTX238076

calendar_today

Updated On:

Description

Citrix ADC is showing abnormal SYNFLOOD SNMP traps  in ns.log :

Jul  5 15:25:27 <local0.info> 10.15.48.2 07/05/2018:06:25:27 GMT NS001 0-PPE-2 : default SNMP TRAP_SENT 98 0 :  synflood (unackSynCount = "18446744073709551615", alarmHighThreshold = 20, nsPartitionName = default) Jul  5 15:25:41 <local0.info> 10.1.1.1 07/07/2018:06:25:41 GMT NS001 0-PPE-2 : default SNMP TRAP_SENT 99 0 :  synfloodNormal (unackSynCount = "0", alarmNormalThreshold = 1, nsPartitionName = default) 

Also the value of counter tcp_tot_ClientOpen is getting higher than the value of counter tcp_tot_syn :

[/var/nslog]$ nsconmsg111 -K newnslog.120/ -d current -s disptime=1 -s time=19JUL2018:06:38:00 -g tcp_tot_syn -g tcp_tot_ClientOpen

Display start time set to Thu Jul 19 06:38:00 2018
Displaying performance information
NetScaler V20 Performance Data
NetScaler NS11.1: Build 56.19.nc, Date: Dec 10 2017, 03:28:34
reltime:mili second between two records Thu Jul 19 06:38:10 2018

  Index   rtime totalcount-val      delta rate/sec symbol-name&device-no&time

      0  105000          49984          6        0 tcp_tot_ClientOpen  Thu Jul 19 06:38:10 2018

      1       0          49981          1        0 tcp_tot_syn  Thu Jul 19 06:38:10 2018

      2    7000          49991          7        1 tcp_tot_ClientOpen  Thu Jul 19 06:38:17 2018

      3       0          49988          7        1 tcp_tot_syn  Thu Jul 19 06:38:17 2018

Resolution

This issue matches the issue ID 697457, where it is clearly mentioned that the Dummy PCBs can cause the tcp_tot_ClientOpen counter to increment and can cause this issue. The fix makes sure that the Dummy PCBs do not increment the tcp_tot_ClientOpen counter. Also, as per the issue, it seems that the HTTP Callout or STA code which uses http callout infra creates a dummy client connection and would cause this kind of issue. Even if you are not using Gateway in the environment, the issue could be caused by any feature which uses the http callout infra :
 

      1    6995              6          1        0 tcp_tot_dummy_pcb  Fri Jul 13 05:45:43 2018
      2       0              6          1        0 hc_tot_http_callout  Fri Jul 13 05:45:43 2018
 

Fix 

The fix is available from build 11.1-57.13:

  • False SNMP alarms for SYN flood are reported when the NetScaler Gateway appliance is deployed in an ICA Proxy mode and session reliability functionality is enabled.

    [From Build 57.13]
    [# 697457]

    Citrix Documentation - Release Notes for Build 58.13 of NetScaler 11.1 Release

Workaround

We need to correct the counters to stop the wrong SNMP traps from generating. Rebooting the device should correct the counters, however, if the counter mismatch happens again, we will see the SNMP traps again.

Problem Cause

The value of counter tcp_tot_ClientOpen is getting higher than the value of counter tcp_tot_syn
Powered by Wolken Software