Viewing Flows

Monitoring > [Appliances] Flows

Flows are useful for troubleshooting and for detailed visibility into the network.

The Flows page retrieves a list of existing connections. The maximum visible number depends on which browser you user.

•	The page displays a default set of columns, along with individual links to flow details and to any alerts.

•	You can display additional columns from a customization list.

This section discusses the following topics:

n	How Flows Are Counted

n	How Flows are Organized

n	Customizing Which Columns Display

n	Flow Details

•	Error Reasons for TCP Acceleration Failure

•	Error Reasons for CIFS Acceleration Failure

•	Error Reasons for SSL Acceleration Failure

•	Error Reasons for Citrix Acceleration Failure

n	Resetting Flows to Improve Performance

How Flows Are Counted

When it comes to flow and application statistics reports, user-defined applications are always checked before built-in applications.

Ports are unique. If a port or a range includes a built-in port, then the custom application is the one that lays claim to it.

If two distinctly named user-defined applications have a port number in common, then report results will be skewed, depending on the priority assigned to the custom applications. A port is only counted once.

How Flows are Organized

The following filters are available:

Parameter or Action	Definition
Flow Categories	The number after each option specifies how many flows fit the criteria • All – all flows • Optimized – optimized flows • Optimized* – these flows originally had a Status of Alert, and the user chose to no longer receive Alerts of the same type • Pass-through – includes shaped and unshaped traffic • Alert – notifies the user of any issue that might be inhibiting optimization, and offers a possible solution
Bytes Transferred	Choose from Total or Last 5 minutes.
Flow Timing	Choose from the following: • Active • Active + Ended Last 5 minutes • Started Last 5 minutes • Ended Last 5 minutes • Ended
Flows to Slow Devices	For debugging. A slow device is one that cannot tolerate having its connections accelerated. Generally, this occurs when the WAN side is congested, resulting in too much data on the LAN side. To protect the health of the appliance, you’ll need to disable TCP acceleration in the Optimization Policy.
IP1 (2) / Port1 (2)	The IP address of an endpoint(s) that you want to use as a filter: • Entering a specific endpoint returns flows that have that endpoint. • Entering 0 in any IP address’s octet position acts as a wild card for that position. 0 in the Port field is also a wild card. • The two IP address (and port) fields are independent of each other. In other words, you can filter on two separate endpoints.
Application	Select which standard or user-defined application (or application group) to use as a filter criteria. The default value is All.
Traffic	Select the type of traffic connections you want to retrieve: • All – all optimized and pass-through traffic. • Policy Drop – traffic with a Set Action of Drop in the Route Policy • Optimized Traffic – the sum of all optimized traffic. That is, all tunnelized traffic. • Pass-through Shaped – all unoptimized, shaped traffic. • Pass-through Unshaped – all unoptimized, unshaped traffic. • [a named Tunnel] – that specific tunnel’s optimized traffic.
Protocol	Select from the list. The default value is All.
VLAN Id	Enter only the integer value for the VLAN Id.
Internet Service	For sorting by domain, country, or city.
Max Flows	The upper limit depends on what browser you’re using.
Reset Flows	Resetting the flow kills it and restarts it. It is service-affecting.
Reclassify Flows	Reclassifying the flow is not service-affecting. If a policy change makes a flow stale or inconsistent, then reclassifying makes a best-effort attempt to conform the flow to the change. If the flow can’t be successfully “diverted” to this new policy, then an Alert asks if you want to Reset.

Customizing Which Columns Display

Following are some customization guidelines:

n	The default set of columns includes the following:

Mgmt IP	Status	Protocol
Host Name	Detail	Outbound Tunnel
Application	Flow Chart	Start Time
IP1	Inbound Reduction %	End Time
PORT1	Inbound Bytes
IP2	Outbound Bytes
PORT2	Outbound Reduction %

n	You can customize by adding the following additional columns:

Uptime	Inbound Tunnel	Configured Outbound Tunnel
LAN-side VLAN	Traffic Class	Configured LAN DSCP
Configured WAN DSCP	Flow Redirected From	Outbound Rx Bytes
Outbound Tx Bytes	Outbound Ratio	Inbound Tx Bytes
Inbound Rx Bytes	Inbound Ratio

n	When you Export the data, all default and possible custom columns are included in the .csv file.

w	To customize the screen display

1	To access the Customize Current Flows Table, click Customize.

2	Select additional columns, and click OK. The columns append to the right side of the table.

Flow Details

Silver Peak Support uses the Flow Detail page for troubleshooting.

Most of the information on the Flow Detail page exceeds what is included in the Current Flows table.

	Field	Definition
Stats Information
	Outbound Ratio	For the outbound traffic, a ratio of the Outbound LAN bytes divided by the Outbound WAN bytes. When this ratio is less than 1.0, it’s attributable to a fixed overhead (for WAN transmission) being applied to traffic that either is not compressible or consists of few packets.
	Inbound Ratio	For the inbound traffic, a ratio of the Inbound WAN bytes divided by the Inbound LAN bytes.
	Outbound LAN bytes	Total number of bytes received from the LAN [outbound traffic]
	Outbound WAN bytes	Total number of bytes sent to the WAN [outbound traffic]
	Inbound LAN bytes	Total number of bytes sent to the LAN [inbound traffic]
	Inbound WAN bytes	Total number of bytes received from the WAN [inbound traffic]
	Outbound LAN pkts	Total number of packets received from the LAN [outbound traffic]
	Outbound WAN pkts	Total number of packets sent to the WAN [outbound traffic]
	Inbound LAN pkts	Total number of packets sent to the LAN [inbound traffic]
	Inbound WAN pkts	Total number of packets received from the WAN [inbound traffic]
	Flow Up Time	The length of time that there has been a connection between the endpoints.
	Flow ID	A unique number that the appliance assigns to the flow.
	Active	Whether the flow is Active [yes] or not [No].
	TCP Flow Context	Silver Peak uses this for debugging purposes.
	Is Flow Queued for Reset	Whether the flow is waiting to be reset (after user input) or not.
Route
	Map Name	The name of the Route Policy.
	Priority in Map	The number of the entry in the Route Policy that the flow matches.
	Configured Tx Action	The SET action configured in the Route Policy’s Tunnel field.
	Tx Action	How the traffic is actually being transmitted. Usually, this is a tunnel name.
	Rx Action	By what path or method the appliance is receiving this flow’s traffic.
	Tx Reason	Any error associated with packet transmission to the WAN.
	Application	Name of the application to which that flow’s traffic belongs.
	Protocol	The flow’s protocol.
	Using Stale Map Entry	Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.
	Flow Direction	Whether the flow is Inbound or Outbound.
	Flow Redirected From	The IP address of the appliance that’s redirecting this flow to this appliance.
	Auto-opt Status	Whether it matched a specific Route Policy or was Auto Routed.
	Auto-opt Transit Node (1 , 2, 3, 4)	The IP addresses of the hops between this appliance and the other end of the connection.
	LAN-side VLAN	Specifies the VLAN tag (1 – 4095) or None.
Optimization
	Map Name	The name of the Optimization Policy.
	Priority in Map	The number of the entry in the Optimization Policy that the flow matches.
	TCP Acceleration Configured	Whether or not TCP acceleration is configured in the Optimization Policy.
	TCP Acceleration Status	Whether TCP is accelerated [Yes] or not [No].
	TCP Acceleration Info	The reason that a TCP flow is not accelerated.. For a list of error codes, see “Error Reasons for TCP Acceleration Failure”.
	TCP Asymmetric	When the answer is YES, the Silver Peak appliance is able to intercept connection establishment in only one direction. As a result, this flow is not accelerated. When this happens, it indicates that there is asymmetric routing in the network.
	Proxy Remote Acceleration	Which side is accelerating the flow
	CIFS Acceleration Configured	Whether or not CIFS acceleration is configured in the Optimization Policy [Yes/No]
	CIFS Acceleration Status	Whether CIFS is accelerated [Yes] or not [No].
	CIFS Acceleration Info	The reason that a CIFS flow is not accelerated. For a list of error codes, see “Error Reasons for CIFS Acceleration Failure”
	CIFS Server Side	[Yes/No] If Yes, then this is the server side and the appliance is not accelerating (only the client side accelerates).
	CIFS SMB Signed	Specifies whether or not the CIFS traffic is SMB-signed by the server: • Yes means it was signed. If that’s the case, then the appliance was unable to accelerate any CIFS traffic. • No means it wasn’t signed. If that’s the case, then server requirements did not preclude CIFS acceleration. • Overridden means that SMB signing is ON and the appliance overrode it.
	SRDF Acceleration Configured	Whether or not SRDF acceleration is configured in the Optimization Policy [Yes/No]
	SRDF Acceleration Status	Whether SRDF is accelerated [Yes] or not [No].
	SSL Acceleration Configured	Whether or not SSL acceleration is configured in the Optimization Policy [Yes/No]
	SSL Acceleration Status	If a certificate has been appropriately installed via the Orchestrator, then SSL traffic can be deduplicated. Whether SSL is accelerated [Yes] or not [No].
	SSL Acceleration Reason	The reason that an SSL flow is not accelerated. For a list of error codes, see “Error Reasons for SSL Acceleration Failure”
	Citrix Acceleration Configured	Whether or not Citrix cgp (gateway) or ica protocol acceleration is configured in the Optimization Policy [Yes/No]
	Citrix Acceleration Status	Whether Citrix is accelerated [Yes] or not [No].
	Citrix Acceleration Reason	The reason that a Citrix flow is not accelerated. For a list of error codes, see “Error Reasons for Citrix Acceleration Failure”
	iSCSI Acceleration Configured	Whether or not iSCSI acceleration is configured in the Optimization Policy [Yes/No]
	iSCSI Acceleration Status	The reason that an iSCSI flow is not accelerated.
	Network Memory	There are four Network Memory settings: • Maximize Reduction — optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP where bandwidth savings are the primary concern. • Minimize Latency — ensures that no latency is added by Network Memory processing. This may come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional traffic. It is also appropriate if WAN bandwidth saving is not a primary objective, and instead it is desirable to fully utilize the WAN pipe to increase LAN–side throughput. • Balanced — This is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most traffic types. • Disabled — No Network Memory is performed.
	Payload Compression	Whether or not payload compression is turned on.
	Using Stale Map Entry	Whether or not the flow is using a Route Policy entry that has been edited or deleted since the flow began.
QoS Information
	Map Name	The name of the QoS Policy.
	Priority in Map	The number of the entry in the QoS Policy that the flow matches.
	Traffic Class	The number of the traffic class assigned by the QoS to the flow, based on the MATCH conditions satisfied:
	LAN DSCP Configured	The LAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.
	WAN DSCP Configured	The WAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.
	Using Stale Map Entry	Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.

Error Reasons for TCP Acceleration Failure

Following is a list of possible errors, along with a brief description and possible resolutions.

Error Reason	Description
asymmetric flow	Appliance did not receive a SYN-ACK. RESOLUTION: Most likely reason is asymmetric routing.
client advertised zero MSS	Flow is not accelerated because an endpoint did not send the TCP MSS option. RESOLUTION: Sometimes older operating systems (like Windows 95) do not send the TCP MSS option. You will have to upgrade the operating system software on the endpoints.
connection reset by peer	During setup, this TCP flow's endpoint(s) reset the connection. RESOLUTION: This is a transient condition. If it persists, take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.
connection to be deleted	Flow is not accelerated due to an internal error. RESOLUTION: Contact Silver Peak Support for further help.
disabled in Optimization Map	TCP Acceleration disabled in the Optimization Map. RESOLUTION: If you want this flow to be TCP accelerated, enable it in the optimization map.
disabled to allow debug	Flow is not accelerated because it has been disabled by tunbug debug console. RESOLUTION: Contact Silver Peak Support for further help.
first packet not a SYN	Appliance did not see the TCP SYN for this flow and therefore could not accelerate it. RESOLUTION: This could be due to various reasons: 1. The flow is already established before the appliance sees the first packet for the flow. If so, then resetting the flow will fix the problem. 2. WCCP or PBR is not set up correctly to redirect outbound traffic to the appliance. Check the WCCP or PBR configuration on the router. 3. You have routing issues, so the appliance is not seeing some of the traffic (for example, some packets come to the appliance while others go through another router). If so, you must review and fix your routing. 4. If you are in a cluster of Silver Peak appliances, you may have received a flow redirection timeout. If so, you must investigate why it takes so long for the Silver Peak appliance clusters to communicate with each other.
IP briefly blacklisted	Appliance did not receive a TCP SYN-ACK from remote end within 5 seconds and allowed the flow to proceed unaccelerated. Consequently, the destination IP address has been blacklisted for one minute. RESOLUTION: Wait for a minute and then reset the flow. If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options. To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses: • If you don't see a TCP SYN from the client, it is due to firewall or routing issues. • If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.
keep alive failure	Appliance did not receive a TCP SYN-ACK from the remote end within 5 seconds and allowed the flow to proceed unaccelerated. RESOLUTION: Wait for a minute and then reset the flow. If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options. To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses: • If you don't see a TCP SYN from the client, it is due to firewall or routing issues. • If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.
no remote appliance detected	Appliance did not receive Silver Peak TCP option in the inbound direction. RESOLUTION: This could be due to various reasons: 1. WCCP or PBR is not configured properly on the peer appliance. 2. Silver Peak routing policy not configured properly on the peer appliance. 3. Peer appliance is out of resources. 4. Routing is not configured properly on the router.
out of TCP memory	Appliance is out of resources for accelerating TCP flows. RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.
remote appliance dropped out of accel	Flow is not accelerated because Silver Peak flag is not set in TCP header or there was a mismatch in internal settings. RESOLUTION: Contact Silver Peak Support for further help.
retransmission timeout	Flow is not accelerated due to TCP protocol timeouts. RESOLUTION: This is a transient condition. You can reset the flow and then verify that it gets accelerated. If it does not, then take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.
Route Map set to drop packets	Flow is not accelerated because the route policy is set to drop packets. RESOLUTION: Fix the Set Action in the route policy entry.
Route Map set to pass-through	Flow is not accelerated because the route policy is set to send packets pass-through. RESOLUTION: Fix the Set Action in the route policy entry.
software version mismatch	Flow is not accelerated due to software version mismatch between two appliances. RESOLUTION: Upgrade software on one or both appliances to the same version of software.
stale flow	Flow is not accelerated due to an internal error. Before the previous flow could terminate cleanly, a new flow began with the same parameters. RESOLUTION: Contact Silver Peak Support for further help.
SYN packet fragmented	Flow is not accelerated for unknown reasons. Please contact Silver Peak Support for further help. RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.
system flow limit reached	Appliance has reached its limit for the total number of flows that can be accelerated. RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.
tandem SP appliance involved	Appliance saw Silver Peak TCP option in the outbound direction. This implies that another Silver Peak appliance precedes this one and is responsible for accelerating this flow. RESOLUTION: Check the flow acceleration status on an upstream appliance.
TCP auto-optimization failed	Automatic optimization logic failed to accelerate this flow.These are handled for each auto-opt subcode below: • TCP auto-optimization failed - NOSPS Auto-optimization failed because the peer appliance is not participating in automatic TCP acceleration. This can be due to various reasons: 1. Peer appliance is configured to not participate in optimization. 2. WCCP or PBR is not configured properly on the peer side. 3. Routing is not configured properly to send traffic to the peer appliance. • TCP auto-optimization failed - NOTUNNEL Auto-optimization failed because there is no tunnel between this appliance and its peer, for two possible reasons: 1) Auto-tunnel is disabled. If so, manually create a tunnel. 2) Auto-tunnel is enabled, but needs time to finish creating the tunnel. If so, wait ~30 seconds for tunnel completion, and then reset this flow. • TCP auto-optimization failed - INVALID_OPT This is generally due to an internal error. Contact Silver Peak Support for further help. • TCP auto-optimization failed - MISC Contact Silver Peak Support for further help. • TCP auto-optimization failed - TUNNELDOWN Automatic optimization failed because the tunnel between this appliance and its peer is down.
TCP state mismatch	Flow is not accelerated due to an internal error. This flow will be automatically reset soon. RESOLUTION: This is a transient condition. You can wait for this flow to reset, or you can reset it manually now.
terminated by user	Flow has been reset by the user or automatically reset by the system. RESOLUTION: This is a transient condition. The flow is in the process of being reset.
tunnel down	Flow is not accelerated because the tunnel is down. RESOLUTION: Investigate why the tunnel is down.
unknown cause	Flow is not accelerated for unknown reasons. RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.

Error Reasons for CIFS Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access on the Flows page. The Alert details the reason and the possible resolution.

Following is a list CIFS reason codes:

Reason Text	Description
CIFS optimization is disabled in the Optimization Policy	CIFS is disabled in the optmap.
SMB signing is required by the server	SMB signing is enforced by the server, and this requirement precludes optimization.
SMB version 2 is enforced by the client	SMB version 2 protocol is enforced by the client, and this requirement precludes optimization.
The flow limit for CIFS optimization has been exceeded	Maximum flow limit reach for CIFS optimized flows.
Sub-optimal read-write optimization - Non standard server	Sub-optimal read/write optimization due to non-standard server. For example, Windows XP cannot process more than 10 simultaneous outstanding requests.
Metadata optimization disabled - NTNOTIFY failure	Metadata optimization is disabled due to change notification failure.
Metadata optimization disabled - OPEN failure	Metadata optimization is disabled because proxy cannot open the root share. To resolve, check the root share permissions.
Metadata optimization disabled - Unsupported Dialect	Endpoints are using an unsupported CIFS dialect. To resolve, upgrade the CLIFS client/server.
Metadata optimization disabled - Unsupported Server	Unsupported CIFS server, like UNIX/Samba. To resolve, switch to standard servers like Windows/NetApp..
Metadata optimization disabled - Unsupported Client	Unsupported CIFS client, like UNIX/smbclient. To resolve, switch to standard clients like Windows/Mac.

Error Reasons for SSL Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access on the Flows page. The Alert details the reason and the possible resolution.

Silver Peak supports:

•	X509 Privacy Enhanced Mail (PEM), Personal Information Exchange (PFX), and RSA key 1024-bit and 2048-bit certificate formats.

•	SAN (Subject Alternative Name) certificates. SAN certificates enable sharing of a single certificate across multiple servers and services.

Silver Peak appliances support the following:

•	Protocol versions: SSLv3, TLS1.0, TLS1.1, TLS1.2

•	Cipher algorithms: AES128, AES256, RC4, 3DES

•	Key exchanges: RSA, DHE, ECDHE

•	Digests: MD5, SHA1, SHA2

Following is a list of the reasons you may receive a failure message for SSL acceleration.

If the resolution calls for removing or reinstalling the certificate, refer to “SSL Certificates Template” on page 69.

Error Reason	Description
error processing certificate	Failure in processing certificate. RESOLUTION: Check the certificate. Possible problems include: • There may be an issue with certificate format. • The certificate doesn’t match the one that’s installed on the server.
error processing client hello1	Failed to create client hello, protocol error, invalid SSL packet, or internal error RESOLUTION: Check the SSL protocols on the client and the server. They must be compatible with what Silver Peak supports. If you find that they’re incompatible, you must remove it and install the correct certificate.
error processing client hello2	Unsupported client SSL protocol version or options RESOLUTION: Check the SSL protocol on the client and the server. They must be compatible with what Silver Peak supports.
error processing client hello3	Invalid random number in SSLv2 client hello, protocol error, invalid SSL packet, or internal error RESOLUTION: Check the SSL protocol on the client and the server. They must be compatible with what Silver Peak supports.
error processing SAN certificate	Error while processing SAN certificate. RESOLUTION: Check the Subject Alternate Name fields in the SAN certificate. It may be an issue with SAN certificate format or with the certificate not matching the one that’s installed on the server. If it’s incorrect, you must remove it, and install the correct certificate.
error processing server hello	Error while processing server hello RESOLUTION: Contact Silver Peak Support for assistance.
extension parse error	TLS extension parse error, due to unknown TLS extensions RESOLUTION: 1. Check the appliance syslog messages (that correspond to the client IP address) for SSL errors to determine which TLS extension is not supported. 2. Disable this (these) extensions in the client-side application’s SSL settings. Typically, this application would be your browser.
invalid certificate	SSL certificate is invalid or has expired. RESOLUTION: Remove the certificate, and reinstall the correct certificate.
invalid client cipher	Client negotiated unsupported cipher algorithm RESOLUTION: Check the client-side application’s SSL cipher algorithm settings to verify that they’re compatible with what Silver Peak supports.
invalid client proto version	Client negotiated unsupported SSL protocol version. RESOLUTION: Check the client-side application’s SSL protocol settings to verify that they’re compatible with what Silver Peak supports.
invalid handshake condition	Received invalid SSL packet or unsupported SSLv2 session resume request during handshake RESOLUTION: Contact Silver Peak Support for assistance.
invalid key	SSL private key is invalid RESOLUTION: Check that the private key file that was installed is correct and matches the server’s private key.
invalid server cipher	Server negotiated unsupported cipher algorithm RESOLUTION: Check the SSL server’s cipher algorithm settings.
invalid server proto version	Server negotiated unsupported SSL version RESOLUTION: Check the server-side application’s SSL protocol settings to verify that they’re compatible with what Silver Peak supports.
memory flow control	The appliance SSL memory is full and cannot accelerate additional flows. RESOLUTION: Contact Silver Peak support for assistance.
miscellaneous error	Generic proxy layer internal error RESOLUTION: Contact Silver Peak Support for assistance.
missing active session	Active session not found, cannot accelerate the SSL session. The appliance did not participate in the full handshake phase where the certificate information was exchanged between the client and the server. Or, the certificate was missing or did not match the server’s certificate. RESOLUTION: If the certificate is missing, install the correct one. Otherwise, restart the client SSL application.
missing certificate	A matching SSL certificate was not found. RESOLUTION: Install the certificate on both appliances.
missing key	A matching SSL key was not found. RESOLUTION: Install the correct certificate and key.
missing pending session	Pending session not found, possible failure in client hello. RESOLUTION: Contact Silver Peak Support for assistance.
missing resume session	Do not have a session to resume in session cache.The session in Silver Peak’s cache might have expired. RESOLUTION: To get full SSL acceleration, restart the application.
missing SAN certificate	Did not find a matching SAN certificate. RESOLUTION: Install the missing SAN certificate.
no ipsec on tunnel	IPsec is not configured on the tunnel. RESOLUTION: Configure IPsec on the tunnel.
possibly no certs installed	Possibly no SSL certificate installed. RESOLUTION: If the Orchestrator shows no SSL certificate, install an appropriate one.
server-side advertised no dedup	Peer appliance SSL did not optimize the flow. RESOLUTION: On the other appliance, access the Current Flows report, and look at the reason code.(In some cases, the code is displayed only on one side).
ssl max flows limit	Exceeded maximum SSL optimized flows limit.
unsupported client cipher	Received unsupported cipher suite in SSLv2 client hello message. RESOLUTION: Check the client-side application’s SSL cipher algorithm settings to verify that they’re compatible with what Silver Peak supports. Check the client-side SSL protocol version settings. Silver Peak does not support SSLv2.
unsupported compress method	Unsupported SSL compression method negotiated.The SSL compression method should be disabled on both the client and the server. RESOLUTION: On both the client and the server, disable the SSL compression method.
unsupported extension	Unsupported TLS extension negotiated. RESOLUTION: 1. Check the appliance syslog messages (that correspond to the client IP address) for SSL errors to determine which TLS extension is not supported. 2. Disable this (these) extensions in the client-side application’s SSL settings. Typically, this application would be your browser.
unsupported server cipher	Received unsupported cipher suite in SSLv2 server hello message. RESOLUTION: Check the server-side application’s SSL cipher algorithm settings to verify that they’re compatible with what Silver Peak supports. Check the server-side SSL protocol version settings. Silver Peak does not support SSLv2.
unsupported server protocol	Unsupported SSL protocol: SSLv2 server hello message not supported. RESOLUTION: Check the server-side application’s SSL protocol settings to verify that they’re compatible with what Silver Peak supports.

Error Reasons for Citrix Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access on the Flows page. The Alert details the reason and the possible resolution.

Reason Text	Description
Exceeded max flows	Flow will not be accelerated because max citrix flow limit has been reached. RESOLUTION: Check
Exceeded max CGP sessions	Flow will not be accelerated because max Citrix CGP session limit has been reached.
Missing CGP data	Flow will not be accelerated because session resume did not find the CGP session.
Connection Alloc failure	Connection element could not be allocated. RESOLUTION: Contact Silver Peak.
Pending Full Accel	Full acceleration criteria in ICA protocol negotiation not yet satisfied. RESOLUTION: Relaunch the Citrix session.
Encryption level not supported	Encryption level not Basic/Secure on the Citrix server or client. RESOLUTION: Check the encryption level setting on the Citrix server.
Packet Alloc failure	Packet allocation has failed. Packets will be forwarded. RESOLUTION: Contact Silver Peak.
Citrix Protocol not as expected	Some pre-defined pattern in Citrix ICA Protocol negotiation is not as expected. RESOLUTION: 1.Verify that non-Citrix traffic is not being sent over the Citrix ports. 2. Check the Citrix protocol versions used in the client and server and call Silver Peak.
Citrix optimization failed due to an unknown error	RESOLUTION: 1. Disabling Citrix Acceleration in the Optimization Policy is recommended. 2. Review the system logs to find the exact error code and contact Silver Peak.
Citrix rc5 padding error	Citrix ICA record did not align on 8-byte boundary or a padding error occurred. RESOLUTION: Contact Silver Peak.
Citrix rc5 Decrypt error	Citrix ICA record failed decryption. RESOLUTION: Contact Silver Peak.
Citrix rc5 Encrypt error	Citrix ICA record failed encryption. RESOLUTION: Contact Silver Peak.
Citrix rc5 Misc error	Citrix ICA RC5 unknown error. RESOLUTION: See system logs. Contact Silver Peak.
Citrix rc5 crypto buffer too short	Citrix RC5 crypto buffer passed in to encryption/decryption was too short. RESOLUTION: Contact Silver Peak.
Citrix rc5 crypto buffer too long	Citrix RC5 crypto buffer passed in to encryption/decryption was too long. RESOLUTION: Contact Silver Peak.
Citrix rc5 crypto invalid length	Citrix RC5 crypto invalid length was passed in for encryption/decryption. RESOLUTION: Contact Silver Peak.
Citrix rc5 crypto initialization failed	Citrix RC5 crypto engine failed initialization. RESOLUTION: Contact Silver Peak.

Resetting Flows to Improve Performance

In the list of Alerts, you can look for the flows that aren’t being accelerated, but could be. Generally, this means flows that use TCP protocol and are not TCP-accelerated:

•	This includes tunnelized TCP traffic that is not TCP-accelerated. TCP connections are not accelerated if they already exist when the tunnel comes up or when the appliance reboots.

•	Pass-through connections are neither tunnelized nor accelerated if they already exist when a new tunnel is added and/or when an ACL is added or edited.

Unaccelerated TCP flows can be reset to allow them to reconnect at a later time. It is assumed that the connection end-points will re-establish the flows. When these flows are reconnected, the appliance recognizes them as new and accelerates them. Note that the time it takes to reset a flow may vary, depending on the traffic activity.

CAUTION Resetting a flow interrupts service for that flow. The appliance cannot restore the connection on its own; it relies on the end points to re-establish the flow. Use it only if service interruption can be tolerated for a given flow.

Tip For information about configuring the appliance to automatically reset TCP flows, see the Advanced TCP Options in “TCP Acceleration Options” on page 63.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.