Value | Pass-through reason (varies by connection) | Description | Action |
|---|---|---|---|
0 | None | None | None |
1 | Preexisting connection | Connection existed before SteelHead started. | Create a connection. |
2 | Connection paused | SteelHead is not intercepting connections. | Check that the service is enabled, in-path is enabled, the neighbor configuration, and whether the appliance is in admission control. |
3 | SYN on WAN side | Client is on the SteelHead WAN side. | Either this is the server-side SteelHead and there is no client-side appliance, or the client-side appliance did not probe. Check the cabling if it is really the client-side SteelHead. Configure a subnet side rule to identify traffic that should be treated as LAN-side traffic. Place the rule at the start of the subnet side rules list, before the default subnet side rule. |
4 | In-path rule | In-path rule matched on the client-side SteelHead is pass-through. | Check the in-path rules. |
5 | Peering rule | Peering rule matched on the server-side SteelHead is pass-through. | Check the peering rules. |
6 | Inner failed to establish | Inner connection between SteelHeads failed. | Check the connectivity between the client-side appliance and the server-side SteelHead. |
7 | Peer in fixed-target rule down | The target of a fixed-target rule is destined to a failed peer. | Check the connectivity between the client-side appliance and the server-side SteelHead. |
8 | No SteelHead on path to server | No server-side SteelHead. | Check that the server-side appliance is up and check that the connection goes through the server-side SteelHead. |
9 | No route for probe response | No route to send back probe response. | Check in-path gateway on the server-side SteelHead. |
10 | Out of memory | Memory problem while copying packet. | Check if the appliance is out of memory. |
11 | No room for more TCP options | Not enough space in TCP header to add probe. | This condition occurs when another device added TCP options before the appliance. Take a TCP dump to check which TCP options are in the SYN packet. Search for those options to learn what device uses them. |
12 | No proxy port for probe response | There is no service port configured on server-side SteelHead. | Configure a service port. |
13 | RX probe from failover buddy | The connection is intercepted by failover buddy. | No action is necessary. |
14 | Asymmetric routing | The connection is asymmetric. | Check the asymmetric routing table for reason. |
15 | Middle SteelHead | The SteelHead is not the first or last SteelHead. | Only happens when the Enhanced Auto-Discovery Protocol is enabled. |
16 | Error connecting to server | The server-side SteelHead could not connect to the server. | Only happens when the Enhanced Auto-Discovery Protocol is enabled. |
17 | Half open connections above limit | The client has too many half-opened connections. | Check if many connections open quickly from the same client. |
18 | Connection count above QOS limit | There are too many connections for that QoS class. | Check the QoS class. |
19 | Reached maximum TTL | The probe has an incorrect TTL. | Take a trace to check the probe. |
20 | Incompatible probe version | The probe has an incompatible version number. | Check if the new probe format is enabled, it is disabled by default. |
21 | Too many retransmitted SYNs | The client SYN has been retransmitted too many times. | Check if there is a firewall that does not like the probe TCP option. |
22 | Connection initiated by neighbor | The connection is intercepted by a neighbor. | No action is necessary. |
23 | Connection for local host | The connection is to the in-path interface. | No action is necessary. |
24 | Unknown reason | The pass-through reason does not match any other description. | No action is necessary. |
25 | Connection from proxy target | Because the connection originates from an IP address that is also the IP address of a fixed target rule, it is not intercepted. | No action is necessary. |
26 | SYN before SFE outer completes | The client connection was passed through at the client-side SteelHead and the client's pure SYN was seen at the server-side SteelHead. | Check if there is a firewall that does not like the probe TCP option. |
27 | Transparent inner on wrong VLAN | The inner connection seen on VLAN is different than the in-path VLAN. | No action is necessary. |
28 | Transparent inner not for this host | No action is necessary. | |
29 | Error on neighbor side | The neighbor SteelHead returned an error to a connection-forwarding request. | Check the health of the configured neighbors. |
30 | SYN/ACK, but no SYN | There is asymmetric routing received SYN/ACK but no SYN. | Check your routing. |
31 | Transparency packet from self | For Riverbed internal use only. | No action is necessary. |
32 | System is heavily loaded | The SteelHead is experiencing a heavy traffic load. | Contact Riverbed Support. You might require a larger model appliance. |
33 | SYN/ACK at MFE not SFE | There is asymmetric routing around the server-side SteelHead. | Check your routing. |
34 | Windows branch mode detected | The client-side is a SteelHead Mobile. Optimization is occurring between the SteelHead Mobile and the server-side SteelHead, so the connection is passed through on the client-side SteelHead. | No action is necessary. |
35 | Transparent RST to reset firewall state | The optimization service has sent a RST to clear the probe connection created by the SteelHead and to allow for the full transparent inner connection to traverse the firewall. | No action is necessary. |
36 | Error on SSL inner channel | An inner channel handshake has failed with peer. | Check the SSL configuration on both appliances. |
37 | Netflow only: Ricochet packet of optimized connection | This pass-through reason is attributed to a flow reported to a v9 NetFlow collector. A probe and packet have been sent by the SteelHead back through itself. For example, in an in-path setup, if a client-side SteelHead gateway is on its WAN side, all packets sent to the client will first go to the gateway and be sent back through the SteelHead on the way to the client. | Packet ricochet can be avoided in many environments by enabling simplified routing. |
38 | Passthrough due to MAPI admission control | New MAPI connections will be passed through due to high connection count. | New MAPI connections are optimized automatically when the MAPI traffic has decreased. |
39 | A SYN or RST packet contains data | ||
40 | Failed to discover SCPS device | RiOS cannot find an SCPS device. | |
41 | No matching client/server IPv6 scope | RiOS cannot set up the outer channel connection. | RiOS passes all packets through until it creates the outer channel. |
42 | Failed to create sport outer channel | RiOS cannot set up the outer channel connection. | RiOS passes all packets through until it creates the outer channel. |
43 | Flows not matching in-path rule | RiOS cannot match this traffic flow to any packet-mode optimization in-path rule. A packet-mode optimization rule defines the inner channel characteristics. | RiOS passes all packets through while the flow is in this state. Go to Optimization > In-Path rules to add a fixed-target packet-mode optimization in-path rule. |
44 | Packet mode channel setup pending | RiOS is attempting to set up the inner IPv4 or IPv6 channel connection. | RiOS passes all packets through until it creates the inner IPv4 or IPv6 channel. |
45 | Peer does not support packet-mode optimization | The peer SteelHead to which RiOS needs to establish the inner IPv4 or IPv6 channel connection does not support packet-mode optimization or packet-mode optimization is not enabled. | RiOS stops trying to optimize connections using packet-mode optimization with the peer. |
46 | Generic Flow error | A packet-mode optimization traffic flow transitions to this state when RiOS encounters one of these unrecoverable errors: • There is not enough memory to set up the inner channel. • The system has requested that RiOS kill the traffic flow. When RiOS receives this error, the SteelHead abandons all attempts to optimize the flow. | RiOS passes the flow through for its lifetime. |
47 | Failed to cache sock pointer | While configured for packet-mode optimization, RiOS cannot locate the socket pointer used to exchange packets through the inner channel. The system is attempting to write packets to the ring, but the socket is closed. This condition can occur when the optimization service shuts down unexpectedly. | Go to Administration > Maintenance: Services and restart the optimization service. |
48 | Packet mode optimization disabled | The connection is being passed through because packet-mode optimization is disabled. | Go to Optimization: Network Services > In-path Rules and enable packet-mode optimization. |
49 | Optimizing local connections only | On an Edge, the connection is being passed through because it did not originate locally. | |
50 | Netflow only: probe packet of optimized connection | ||
51 | IPv6 connection forwarding requires multi-interface support | RiOS is passing the connection through because the client-side SteelHead is configured without multi-interface connection forwarding. This configuration does not support IPv6. | Go to Networking Network Integration > Connection Forwarding and enable multiple interface support. |
52 | Neighbor does not support IPv6 | RiOS is passing the connection through because a connection-forwarding neighbor does not support IPv6. | Upgrade the connection-forwarding neighbor to RiOS 8.0 or later. |
53 | Reached the hard limit for the number of entries | RiOS is passing the connection through because it hit the maximum allowed limit for nonreusable connection entries. | |
54 | Connection or flow from GRE IPv4 tunnel |