2 Replies Latest reply on May 24, 2016 10:10 AM by james-in-ca

    Transfer timeout settings?

    james-in-ca New Member

      We upload lots of 60 to 80 gig files to various video streaming servers on our CDN at Limelight Network.

      Recently we have been having uploads to their servers fail prematurely -  always at 10 minutes of transfer time. Files are almost done uploading...

      As a test, If I upload that same file to our web servers which exist on an entirely different network completely unrelated to Limelight in any way, they upload fine.

      I make sure the test uploads to my web server take at least 10 minutes so that if a timeout based failure was to occur at 10 minutes, I would see it happen.

       

      Limelight is suggesting that "yes their servers are set to timeout after 10 minutes of inactivity" and that they think our Firewall (Adtran 3120) is having some effect on this.

      The only firewall I have is the services of the Adtran 3120 which I have hooked to my ISP/Telepacific switch.

       

      Is there some setting in my Netvanta that I can alter that might have some effect on this particular server's connection? Their support seems to think that our connection is timing out so that their server does not see the transfer happening and shuts the connection down..

      But again, I don't have this issue elsewhere. Although if there is something I can adjust I would do that as long as there is no detrimental effect on anything else or other servers. We have been using this setup for about 2 years now and this is the only remote location where we have an issue like this.

      Thanks

       

      Message was edited by: james fasso speeling........

        • Re: Transfer timeout settings?
          james-in-ca New Member

          The response from Limelight Support. We sent a Wireshark capture to them.

           

          Reviewing the packet capture provided and the failure, it appears as though during the transfer your client is sending multiple ACK sequences. Based on this we see it is a sequence of 4. However no SIN, ACK to these, which keeps repeating until a RST. This causes a new DNS lookup and an attempt to upload again. Additionally would you be able to review/provide us any firewall rules you currently have in place and confirm there are no filters in place for our IP ranges (included below). We do look forward to hearing from you.


          I checked my settings in "Security Zones/ Security Zone 'Public' "

          I have only 1 IP range filtered and it's not any of the 25 or so they sent.

          Screen Shot 2016-05-24 at 8.52.54 AM.png

          Is there any other location in the settings that might have any effect on this? I'd like to determine if this is on my end or theirs.

          Thanks!

            • Re: Transfer timeout settings?
              james-in-ca New Member

              I found this info from Wireshark (Riverbed) Can this be the issue?

              If my 3120 is blocking something in this manner how can I verify if my 3120 firewall is set to block in this fashion?

               

              Question was from a fellow that was not getting a SYN-ACK:

               

              I see three possible reasons:

              • you don't see the server response (SYN-ACK( due to a known "problem" of your capture setup
              • there is a SYN-ACK, but the server is dual homed (multiple interfaces in the same subnet) and it sends the response out a different interface.
              • there is no SYN-ACK, which means the RDP server did not answer the SYN. That's something you can only diagnose with the help of microsoft.

              Personally I believe it's option #2, although this is just a wild guess: I've seen that happen from time to time, because people give their servers several interfaces for "redundancy" reasons and then they simply assign an IP address from the same subnet (Windows does not prevent that)! This usually works on a local network without security devices (firewall, loadbalancers, etc.), but it can cause problems if those devices are in place.

              In your case, the firewall might well block the SYN-ACK, if it's coming from a different MAC address than the SYN was sent to (windows sends the SYN-ACK out the other interface). This depends on the firewall type and on the firewall configuration.