Viewing Current Flows

The Current Flows page retrieves a list of existing connections. The maximum visible number depends on which browser you user.

•	The page displays a default set of columns, along with individual links to flow details and to any alerts.

•	You can display additional columns from a customization list.

This section discusses the following topics:

n	How Current Flows Are Organized

n	Customizing Which Columns Display

n	Current Flow Details

n	Resetting Flows to Improve Performance

How Current Flows Are Organized

The following filters are available:

Parameter or Action	Definition
Flow Categories	The number after each option specifies how many flows fit the criteria • All – all flows • Optimized – optimized flows • Optimized* – these flows originally had a Status of Alert, and the user chose to no longer receive Alerts of the same type • Pass-through – includes shaped and unshaped traffic • Alert – notifies the user of any issue that might be inhibiting optimization, and offers a possible solution
Bytes Transferred	Choose from Total or Last 5 minutes.
Flow Started	Choose from Anytime or Last 5 minutes.
IP1 (2) / Port1 (2)	The IP address of an endpoint(s) that you want to use as a filter: • Entering a specific endpoint returns flows that have that endpoint. • Entering 0 in any IP address’s octet position acts as a wild card for that position. 0 in the Port field is also a wild card. • The two IP address (and port) fields are independent of each other. In other words, you can filter on two separate endpoints.
Application	Select which standard or user-defined application (or application group) to use as a filter criteria. The default value is All.
Traffic	Select the type of traffic connections you want to retrieve: • All – all optimized and pass-through traffic. • Policy Drop – traffic with a Set Action of Drop in the Route Policy • Optimized Traffic – the sum of all optimized traffic. That is, all tunnelized traffic. • Pass-through Shaped – all unoptimized, shaped traffic. • Pass-through Unshaped – all unoptimized, unshaped traffic. • [a named Tunnel] – that specific tunnel’s optimized traffic.
Protocol	Select from the list. The default value is All.
VLAN Id	Enter only the integer value for the VLAN Id.
Max Flows	The upper limit depends on what browser you’re using.
Reset Flows	Resetting the flow kills it and restarts it. It is service-affecting.
Reclassify Flows	Reclassifying the flow is not service-affecting. If a policy change makes a flow stale or inconsistent, then reclassifying makes a best-effort attempt to conform the flow to the change. If the flow can’t be successfully “diverted” to this new policy, then an Alert asks if you want to Reset.

Customizing Which Columns Display

Following are some customization guidelines:

n	The default set of columns includes the following:

Select	Status	Protocol
Application	Inbound Reduction %	Outbound Tunnel
IP1	Inbound Bytes	Detail
PORT1	Outbound Bytes
IP2	Outbound Reduction %
PORT2	Up Time

n	You can customize by adding the following additional columns:

Outbound Rx Bytes	Outbound Tx Bytes	Outbound Ratio
Inbound Tx Bytes	Inbound Rx Bytes	Inbound Ratio
Inbound Tunnel	Configured Outbound Tunnel	Flow Redirected From
LAN–side VLAN	Traffic Class	LAN DSCP	WAN DSCP

n	Customizations persist across sessions and across users. For a given appliance, all users see the same columns.

n	When you Export the data, all default and possible custom columns are included in the .csv file.

n	Customize and Export functions are accessible to all users.

 

w	To customize the screen display

1	To access the Customize Current Flows Table, click Customize.

2	Select additional columns, and click OK. The columns append to the right side of the table.

 

Current Flow Details

Silver Peak Support uses the Flow Detail page for troubleshooting.

Most of the information on the Flow Detail page is beyond what is included in the Current Flows table.

	Field	Definition
Route
	Map Name	The name of the Route Policy.
	Priority in Map	The number of the entry in the Route Policy that the flow matches.
	Configured Tx Action	The SET action configured in the Route Policy’s Tunnel field.
	Tx Action	How the traffic is actually being transmitted. Usually, this is a tunnel name.
	Rx Action	By what path or method the appliance is receiving this flow’s traffic.
	Tx Reason	Any error associated with packet transmission to the WAN.
	Application	Name of the application to which that flow’s traffic belongs.
	Protocol	The flow’s protocol.
	Using Stale Map Entry	Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.
	Flow Direction	Whether the flow is Inbound or Outbound.
	Flow Redirected From	The IP address of the appliance that’s redirecting this flow to this appliance.
	Auto-opt Status	Whether it matched a specific Route Policy or was Auto Routed.
	Auto-opt Transit Node (1 , 2, 3, 4)	The IP addresses of the hops between this appliance and the other end of the connection.
	LAN-side VLAN	Specifies the VLAN tag (1 – 4095) or None.
Optimization
	Map Name	The name of the Optimization Policy.
	Priority in Map	The number of the entry in the Optimization Policy that the flow matches.
	TCP Acceleration Configured	Whether or not TCP acceleration is configured in the Optimization Policy.
	TCP Acceleration Status	Whether TCP is accelerated [Yes] or not [No].
	TCP Acceleration Info	The reason that a TCP flow is not accelerated.. For a list of error codes, see “Error Reasons for TCP Acceleration Failure”.
	TCP Asymmetric	When the answer is YES, the Silver Peak appliance is able to intercept connection establishment in only one direction. As a result, this flow is not accelerated. When this happens, it indicates that there is asymmetric routing in the network.
	Proxy Remote Acceleration	Which side is accelerating the flow
	CIFS Acceleration Configured	Whether or not CIFS acceleration is configured in the Optimization Policy [Yes/No]
	CIFS Acceleration Status	Whether CIFS is accelerated [Yes] or not [No].
	CIFS Acceleration Info	The reason that a CIFS flow is not accelerated. For a list of error codes, see “Error Reasons for CIFS Acceleration Failure”
	CIFS Server Side	[Yes/No] If Yes, then this is the server side and the appliance is not accelerating (only the client side accelerates).
	CIFS SMB Signed	Specifies whether or not the CIFS traffic is SMB-signed by the server: • Yes means it was signed. If that’s the case, then the appliance was unable to accelerate any CIFS traffic. • No means it wasn’t signed. If that’s the case, then server requirements did not preclude CIFS acceleration. • Overridden means that SMB signing is ON and the appliance overrode it.
	SRDF Acceleration Configured	Whether or not SRDF acceleration is configured in the Optimization Policy [Yes/No]
	SRDF Acceleration Status	Whether SRDF is accelerated [Yes] or not [No].
	SSL Acceleration Configured	Whether or not SSL acceleration is configured in the Optimization Policy [Yes/No]
	SSL Acceleration Status	If a certificate has been appropriately installed via the GMS, then SSL traffic can be deduplicated. Whether SSL is accelerated [Yes] or not [No].
	SSL Acceleration Reason	The reason that an SSL flow is not accelerated. For a list of error codes, see “Error Reasons for SSL Acceleration Failure”
	Citrix Acceleration Configured	Whether or not Citrix cgp (gateway) or ica protocol acceleration is configured in the Optimization Policy [Yes/No]
	Citrix Acceleration Status	Whether Citrix is accelerated [Yes] or not [No].
	Citrix Acceleration Reason	The reason that a Citrix flow is not accelerated.
	Network Memory	There are four Network Memory settings: • Maximize Reduction — optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP where bandwidth savings are the primary concern. • Minimize Latency — ensures that no latency is added by Network Memory processing. This may come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional traffic. It is also appropriate if WAN bandwidth saving is not a primary objective, and instead it is desirable to fully utilize the WAN pipe to increase LAN–side throughput. • Balanced — This is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most traffic types. • Disabled — No Network Memory is performed.
	Payload Compression	Whether or not payload compression is turned on.
	Using Stale Map Entry	Whether or not the flow is using a Route Policy entry that has been edited or deleted since the flow began.
Stats Information
	Outbound Ratio	For the outbound traffic, a ratio of the Outbound LAN bytes divided by the Outbound WAN bytes. When this ratio is less than 1.0, it’s attributable to a fixed overhead (for WAN transmission) being applied to traffic that either is not compressible or consists of few packets.
	Inbound Ratio	For the inbound traffic, a ratio of the Inbound WAN bytes divided by the Inbound LAN bytes.
	Outbound LAN	Total number of bytes received from the LAN [outbound traffic]
	Outbound WAN	Total number of bytes sent to the WAN [outbound traffic]
	Inbound LAN	Total number of bytes sent to the LAN [inbound traffic]
	Inbound WAN	Total number of bytes received from the WAN [inbound traffic]
	Flow Up Time	The length of time that there has been a connection between the endpoints.
	Flow ID	A unique number that the appliance assigns to the flow.
	TCP Flow Context	Silver Peak uses this for debugging purposes.
	Is Flow Queued for Reset	Whether the flow is waiting to be reset (after user input) or not.
QoS Information
	Map Name	The name of the QoS Policy.
	Priority in Map	The number of the entry in the QoS Policy that the flow matches.
	Traffic Class	The number of the traffic class assigned by the QoS to the flow, based on the MATCH conditions satisfied:
	LAN DSCP	The LAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.
	WAN DSCP	The WAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.
	Using Stale Map Entry	Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.

Error Reasons for TCP Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access from the Current Flows page. The Alert details the reason and the possible resolution.

Following is a list of possible errors, along with a brief description.

Error Reason	Description
asymmetric flow	Appliance did not receive a SYN-ACK. RESOLUTION: Most likely reason is asymmetric routing.
client advertised zero MSS	Flow is not accelerated because an endpoint did not send the TCP MSS option. RESOLUTION: Sometimes older operating systems (like Windows 95) do not send the TCP MSS option. You will have to upgrade the operating system software on the endpoints.
connection reset by peer	During setup, this TCP flow's endpoint(s) reset the connection. RESOLUTION: This is a transient condition. If it persists, take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.
connection to be deleted	Flow is not accelerated due to an internal error. RESOLUTION: Contact Silver Peak Support for further help.
disabled in Optimization Map	TCP Acceleration disabled in the Optimization Map. RESOLUTION: If you want this flow to be TCP accelerated, enable it in the optimization map.
disabled to allow debug	Flow is not accelerated because it has been disabled by tunbug debug console. RESOLUTION: Contact Silver Peak Support for further help.
first packet not a SYN	Appliance did not see the TCP SYN for this flow and therefore could not accelerate it. RESOLUTION: This could be due to various reasons: 1. The flow is already established before the appliance sees the first packet for the flow. If so, then resetting the flow will fix the problem. 2. WCCP or PBR is not set up correctly to redirect outbound traffic to the appliance. Check the WCCP or PBR configuration on the router. 3. You have routing issues, so the appliance is not seeing some of the traffic (for example, some packets come to the appliance while others go through another router). If so, you must review and fix your routing. 4. If you are in a cluster of Silver Peak appliances, you may have received a flow redirection timeout. If so, you must investigate why it takes so long for the Silver Peak appliance clusters to communicate with each other.
IP briefly blacklisted	Appliance did not receive a TCP SYN-ACK from remote end within 5 seconds and allowed the flow to proceed unaccelerated. Consequently, the destination IP address has been blacklisted for one minute. RESOLUTION: Wait for a minute and then reset the flow. If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options. To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses: • If you don't see a TCP SYN from the client, it is due to firewall or routing issues. • If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.
keep alive failure	Appliance did not receive a TCP SYN-ACK from the remote end within 5 seconds and allowed the flow to proceed unaccelerated. RESOLUTION: Wait for a minute and then reset the flow. If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options. To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses: • If you don't see a TCP SYN from the client, it is due to firewall or routing issues. • If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.
no remote appliance detected	Appliance did not receive Silver Peak TCP option in the inbound direction. RESOLUTION: This could be due to various reasons: 1. WCCP or PBR is not configured properly on the peer appliance. 2. Silver Peak routing policy not configured properly on the peer appliance. 3. Peer appliance is out of resources. 4. Routing is not configured properly on the router.
out of TCP memory	Appliance is out of resources for accelerating TCP flows. RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.
remote appliance dropped out of accel	Flow is not accelerated because Silver Peak flag is not set in TCP header or there was a mismatch in internal settings. RESOLUTION: Contact Silver Peak Support for further help.
retransmission timeout	Flow is not accelerated due to TCP protocol timeouts. RESOLUTION: This is a transient condition. You can reset the flow and then verify that it gets accelerated. If it does not, then take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.
Route Map set to drop packets	Flow is not accelerated because the route policy is set to drop packets. RESOLUTION: Fix the Set Action in the route policy entry.
Route Map set to pass-through	Flow is not accelerated because the route policy is set to send packets pass-through. RESOLUTION: Fix the Set Action in the route policy entry.
software version mismatch	Flow is not accelerated due to software version mismatch between two appliances. RESOLUTION: Upgrade software on one or both appliances to the same version of software.
stale flow	Flow is not accelerated due to an internal error. Before the previous flow could terminate cleanly, a new flow began with the same parameters. RESOLUTION: Contact Silver Peak Support for further help.
SYN packet fragmented	Flow is not accelerated for unknown reasons. Please contact Silver Peak Support for further help. RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.
system flow limit reached	Appliance has reached its limit for the total number of flows that can be accelerated. RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.
tandem SP appliance involved	Appliance saw Silver Peak TCP option in the outbound direction. This implies that another Silver Peak appliance precedes this one and is responsible for accelerating this flow. RESOLUTION: Check the flow acceleration status on an upstream appliance.
TCP auto-optimization failed	Automatic optimization logic failed to accelerate this flow.These are handled for each auto-opt subcode below: • TCP auto-optimization failed - NOSPS Auto-optimization failed because the peer appliance is not participating in automatic TCP acceleration. This can be due to various reasons: 1. Peer appliance is configured to not participate in optimization. 2. WCCP or PBR is not configured properly on the peer side. 3. Routing is not configured properly to send traffic to the peer appliance. • TCP auto-optimization failed - NOTUNNEL Auto-optimization failed because there is no tunnel between this appliance and its peer, for two possible reasons: 1) Auto-tunnel is disabled. If so, manually create a tunnel. 2) Auto-tunnel is enabled, but needs time to finish creating the tunnel. If so, wait ~30 seconds for tunnel completion, and then reset this flow. • TCP auto-optimization failed - INVALID_OPT This is generally due to an internal error. Contact Silver Peak Support for further help. • TCP auto-optimization failed - MISC Contact Silver Peak Support for further help. • TCP auto-optimization failed - TUNNELDOWN Automatic optimization failed because the tunnel between this appliance and its peer is down.
TCP state mismatch	Flow is not accelerated due to an internal error. This flow will be automatically reset soon. RESOLUTION: This is a transient condition. You can wait for this flow to reset, or you can reset it manually now.
terminated by user	Flow has been reset by the user or automatically reset by the system. RESOLUTION: This is a transient condition. The flow is in the process of being reset.
tunnel down	Flow is not accelerated because the tunnel is down. RESOLUTION: Investigate why the tunnel is down.
unknown cause	Flow is not accelerated for unknown reasons. RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.

Error Reasons for CIFS Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access from the Current Flows page. The Alert details the reason and the possible resolution.

Following is a list CIFS reason codes. They use the following format:

n	No [reason] — The connection is not accelerated, and the “reason string” explains why not.

n	Yes [reason] — The connection is partially accelerated, and the “reason string” explains why the connection is not fully accelerated.

n	Yes — The connection is fully accelerated.

Yes/No	Reason Text	Description
No	CIFS optimization is disabled in the Optimization Policy	CIFS is disabled in the optmap.
No	SMB signing is required by the server	SMB signing is enforced by the server, and this requirement precludes optimization.
No	SMB version 2 is enforced by the client	SMB version 2 protocol is enforced by the client, and this requirement precludes optimization.
No	The flow limit for CIFS optimization has been exceeded	Maximum flow limit reach for CIFS optimized flows.
Yes	Sub-optimal read-write optimization - Non standard server	Sub-optimal read/write optimization due to non-standard server. For example, Windows XP cannot process more than 10 simultaneous outstanding requests.
Yes	Metadata optimization disabled - NTNOTIFY failure	Metadata optimization is disabled due to change notification failure.
Yes	Metadata optimization disabled - OPEN failure	Metadata optimization is disabled because proxy cannot open the root share. To resolve, check the root share permissions.
Yes	Metadata optimization disabled - Unsupported Dialect	Endpoints are using an unsupported CIFS dialect. To resolve, upgrade the CLIFS client/server.
Yes	Metadata optimization disabled - Unsupported Server	Unsupported CIFS server, like UNIX/Samba. To resolve, switch to standard servers like Windows/NetApp..
Yes	Metadata optimization disabled - Unsupported Client	Unsupported CIFS client, like UNIX/smbclient. To resolve, switch to standard clients like Windows/Mac.

Error Reasons for SSL Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access from the Current Flows page. The Alert details the reason and the possible resolution.

Note  To deduplicate SSL (Secure Socket Layer) traffic, appliances must have a valid SSL certificate and key. For information about installing SSL certificates and keys, see “Adding SSL Certificates and Keys for Deduplication”.

Following is a list of the reasons you may receive a failure message for SSL acceleration.

Error Reason	Description
error processing certificate	Failure in processing certificate.Please check the certificate/key.
error processing client hello1	Failed to create client hello, protocol error, invalid SSL packet or Internal error
error processing client hello2	Unsupported client SSL protocol version or options
error processing client hello3	Invalid random number in SSLv2 client hello, protocol error, invalid SSL packet, or internal error
error processing SAN certificate	Error while processing SAN certificate
error processing server hello	Error while processing server hello
extension parse error	TLS extension parse error, due to unknown TLS extensions
invalid certificate	SSL certificate is invalid
invalid client cipher	Client negotiated unsupported cipher algorithm
invalid client proto version	Client negotiated unsupported SSL version.
invalid handshake condition	Received invalid SSL packet or unsupported SSLv2 session resume request during handshake
invalid key	SSL private key is invalid
invalid server cipher	Server negotiated unsupported cipher algorithm
invalid server proto version	Server negotiated unsupported SSL version
memory flow control	The appliance SSL memory is full and cannot accelerate additional flows.
miscellaneous error	Generic proxy layer internal error
missing active session	Active session not found, cannot accelerate the SSL session.
missing certificate	A matching SSL certificate was not found.
missing key	A matching SSL key was not found.
missing pending session	Pending session not found, possible failure in client hello.
missing resume session	Do not have a session to resume in session cache.
missing SAN certificate	Did not find a matching SAN certificate.
no ipsec on tunnel	IPsec is not configured on the tunnel and IPsec on tunnel must be configured.
possibly no certs installed	Possibly no SSL certificate installed. Check the GMS.
server-side advertised no dedup	Peer appliance SSL did not optimize the flow.
ssl max flows limit	Exceeded maximum SSL optmized flows limit.
unsupported client cipher	Received unsupported cipher suite in SSLv2 client hello message.
unsupported compress method	Unsupported compression method negotiated.
unsupported extension	Unsupported TLS extension negotiated.
unsupported server cipher	Received unsupported cipher suite in SSLv2 server hello message.
unsupported server protocol	Unsupported SSL protocol: SSLv2 server hello message not supported.

Resetting Flows to Improve Performance

In the list of Alerts, you can look for the flows that aren’t being accelerated, but could be. Generally, this means flows that use TCP protocol and are not TCP-accelerated:

•	This includes tunnelized TCP traffic that is not TCP-accelerated. TCP connections are not accelerated if they already exist when the tunnel comes up or when the appliance reboots.

•	Pass-through connections are neither tunnelized nor accelerated if they already exist when a new tunnel is added and/or when an ACL is added or edited.

Unaccelerated TCP flows can be reset to allow them to reconnect at a later time. It is assumed that the connection end-points will re-establish the flows. When these flows are reconnected, the appliance recognizes them as new and accelerates them. Note that the time it takes to reset a flow may vary, depending on the traffic activity.

CAUTION Resetting a flow interrupts service for that flow. The appliance cannot restore the connection on its own; it relies on the end points to re-establish the flow. Use it only if service interruption can be tolerated for a given flow.

Tip For information about configuring the appliance to automatically reset TCP flows, see the Advanced TCP Options in “TCP Acceleration”.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.