NetScaler-13.1- NetScaler sends RST 8201 when the first data packet received by LB vserver is out-of-order
Article ID: CTX695832
Updated On:
Description
You may notice that NetScaler sends RST 8201 when the first data packet received by HTTP/SSL LB virtual server is out-of-order.
In the following screenshot, packet 77654 is the first data packet received by HTTP LB virtual server , but it is an out-of-order packet. The packet with correct order is actually packet 77657 .
We can see NetScaler sent reset after receiving packet 77654/77655. And the reset code is 8201.
Cause
When the first data packet arrives out of order at the NetScaler, it is expected that the NetScaler will send reset code 8201 due to SYN cookie protection.
Resolution
To avoid reset when the first data packet is out-of-order, we can create a TCP profile with "-EstablishClientConn CONN_ESTABLISHED" and bind it to the LB vServer.
add ns tcpProfile tcp_profile -EstablishClientConn CONN_ESTABLISHED
set lb vserver <vserver> -tcpProfileName tcp_profile
By default , SYN cookie is enabled and EstablishClientConn is set to ON_FIRST_DATA for HTTP LB vservers. This means: NetScaler allocates system memory for a TCP connection only upon receiving a HTTP request for HTTP LB vserver. However, this will trigger reset code 8201 when the first data packet is out of order.
If we change EstablishClientConn to CONN_ESTABLISHED , NetScaler will allocate system memory for the TCP connection on the last ACK. And in this situation, we can save the out-of-order packets in memory and waiting for the packets which is in correct order.
Issue/Introduction
This article describes the situation that NetScaler sends RST 8201 when the first data packet received by HTTP/SSL LB virtual server is out-of-order.
