Viewing Current Connection reports

Viewing Reports and Logs : Viewing Current Connection reports

The Current Connections report displays the connections the SteelHead detects, including the connections that are passing through unoptimized.

You can search and customize the display using filters to list connections of interest. When you click Update, the report retrieves a listing of up to 500 real-time current connections. Navigating to the report or refreshing the page automatically updates the connections display.

What this report tells you

The Current Connections report answers these questions:

• What traffic is the SteelHead optimizing?

• How many connections are established?

• What’s the data reduction on a per-connection basis?

• How many connections are closing?

• How many connections are being passed through either intentionally or unintentionally?

• How many connections are being forwarded by a connection-forwarding neighbor?

• How many connections have been denied or discarded?

• Which Office 365 users have open connections? (Available in RiOS 9.5 and later)

To view the Current Connections report

1. Choose Reports > Networking: Current Connections.

Current Connections report

1 - Connections summary

The summary gives you an at-a-glance hierarchical overview of the traffic the SteelHead detects. It displays the total connection numbers for various types of optimization, pass-through, and forwarding. It categorizes the optimized, established connections by type and displays the portion of the total connections each connection type represents.

When you click a connection type such as established, you select it and also drive the show statement in the query area to search for established connections and exclude the other types.

The connections summary displays these connection types:

Connection type	Icon	Description
All current connections		Displays the total number of connections the SteelHead detects at the time you access the report, refresh the page, or click the Update button. It includes the connections that the SteelHead is passing through unoptimized, and connections that don’t appear in the connections table.
Established		Displays the total optimized, active connections.
		RiOS—Displays the double-ended, non-SCPS connections.
		RiOS + SCPS—Displays the total RiOS and SCPS connections established between two SteelHeads running RiOS 7.0 or later. Because both SteelHeads are SCPS compatible, this is a double-ended connection that benefits from traditional RiOS optimization (SDR and LZ).
		SCPS—Displays all current single-ended SCPS-optimized connections as a portion of the total.
		TCP proxy—Displays the total non-SCPS single-ended interception connections. An SEI connection is established between a single SteelHead running RiOS 7.0 or later paired with a third-party device running TCP-PEP (Performance Enhancing Proxy).
		Packet-mode optimized—Displays the total flows that were optimized packet-by-packet with SDR bandwidth optimization. These include TCP and UDP flows over IPv4 or IPv6. Packet-mode flows are considered to be neither single-ended nor double-ended. In RiOS 8.5, you must enable packet-mode optimization to view optimized UDP flows. To enable packet-mode optimization, choose Optimization > Network Services: General Service Settings. In RiOS 8.5.x and later, you must enable path selection and packet-mode optimization to view optimized UDP flows. To enable path selection, choose Networking > Network Services: Path Selection.
Establishing		Displays the total newly forming, initiating connections. The connection is being established but doesn’t yet have an inner channel. Establishing connections count toward the connection count limit on the SteelHead because, at any time, they might become a fully opened connection.
Opening		Displays the total half-open active connections. A half-open connection is a TCP connection in which the connection has not been fully established. Half-open connections count toward the connection count limit on the SteelHead because, at any time, they might become a fully opened connection. If you are experiencing a large number of half-open connections, consider a more appropriately sized SteelHead.
Closing		Displays the total half-closed active connections. Half-closed connections are connections that the SteelHead has intercepted and optimized but are in the process of becoming disconnected. These connections count toward the connection count limit on the SteelHead. (Half-closed connections might remain if the client or server doesn’t close its connections cleanly.) If you are experiencing a large number of half-closed connections, consider a more appropriately sized SteelHead.
Forwarded		Displays the total number of connections that were forwarded when you have configured a connection-forwarding neighbor to manage the connection. For details about connection forwarding, see Configuring connection forwarding features.
Passthrough (unoptimized)		Displays the total number of connections that were passed through unoptimized. You can view and sort these connections by intentional and unintentional pass-through in the connections table that follows this summary.
		Failed terminated—Displays the total number of terminated connections that were passed through unoptimized, because of reasons other than in-path rules.
		Failed packet-mode—Displays the total number of packet-mode flows that were passed through unoptimized, because of reasons other than in-path rules. In RiOS 8.5, you must enable packet-mode optimization to view UDP flows. To enable packet-mode optimization, choose Optimization > Network Services: General Service Settings. In RiOS 8.5.x and later, you must enable path selection or packet-mode optimization or both to view pass-through UDP flows. To enable path selection, choose Networking > Network Services: Path Selection.
		Intentional—Displays the total number of connections that were intentionally passed through unoptimized by in-path rules.
Errors		Displays all connections that have application or transport protocol errors as a portion of the total connections.

2 - Query area

The connections summary and the connections table convey a lot of information about connections the SteelHead is detecting. The best way to narrow your search is to filter and sort the report. The query area is where you select a simple or compound connection type for your search and optionally filter the results. The Show search control defines the contents of the connection summary and the connections table.

The simple connection search uses a match against a connection type to display only that type, and excludes the others. If you want to use more advanced criteria, such as including all connections that were started after a certain date, you can add one or more filters to achieve this.

To display a simple connection type

1. After Show, select a connection type from the drop-down list.

Connection type	Description
All current	Displays the total number of connections the SteelHead detects, including the connections that are passed through unoptimized. This selection removes any previous selections or filters.
Established	Displays the total optimized, active connections.
Packet-mode optimized	Displays the total connections that were optimized packet-by-packet with SDR bandwidth optimization. These connections include TCP IPv4, TCP IPv6, UDP IPv4, and UDP IPv6 connections. In RiOS 8.5, you must enable packet-mode optimization to view UDP flows. To enable packet-mode optimization, choose Optimization > Network Services: General Service Settings. In RiOS 8.5.x and later, you must enable path selection and packet-mode optimization to view optimized UDP flows. To enable path selection, choose Networking > Network Services: Path Selection.
Opening	Displays the total half-open active connections. A half-open connection is a TCP connection in which the connection has not been fully established. Half-open connections count toward the connection count limit on the SteelHead because, at any time, they might become a fully opened connection. If you are experiencing a large number of half-open connections, consider a more appropriately sized SteelHead.
Closing	Displays the total half-closed active connections. Half-closed connections are connections that the SteelHead has intercepted and optimized but are in the process of becoming disconnected. These connections are counted toward the connection count limit on the SteelHead. (Half-closed connections might remain if the client or server doesn’t close its connections cleanly.) If you are experiencing a large number of half-closed connections, consider a more appropriately sized SteelHead.
Forwarded	Displays the total number of connections forwarded by the connection-forwarding neighbor managing the connection.
Passthrough (unoptimized)	Displays the total number of connections that were passed through unoptimized. You can view and sort these connections by intentional and unintentional pass-through in the individual connections table that follows the connections summary.
Failed terminated	Displays the total number of terminated connections that were passed through unoptimized.
Failed packet-mode	Displays the total number of packet-mode flows that were passed through unoptimized.
Intentional	Displays the total number of connections that were intentionally passed through unoptimized.

2. Click Update.

Filtering the connections

Filters provide a powerful way to drill down into large numbers of connections by specifying either simple or complex filter criteria. Each filter further restricts the display.

When you customize filters, the system immediately writes them to disk on the SteelHead. The system saves all of your custom settings even after you log out, clear your browsing history, or close the browser. When you view the report again, your custom settings are intact. The system saves report settings on a per-user basis.

To filter the display (optional)

1. Click Add.

2. Select a filter from the drop-down list. Selecting some filters expands the query with a text input field for additional information. For example, selecting for application from the drop-down list displays a text input field for the application name. RiOS validates the text input fields as you enter the text (except when you enter a regular expression).

You can select any combination of these filters:

– matching regular expression—Displays a text input field for a regular expression and shows only those connections that match the expression. You can filter based on connections for a specific path selection uplink name by entering the name in this filter.

Examples:

10.16.35.1

Finds one particular IP address

10.16.35.1:5001

Finds port 5001 on one particular IP address

You can also use the regular expression filter to show only those connections for which the expression matches this string:

where each token in angle brackets is replaced by the connection properties. Use a single space between <source port> and <destination IP> and between <destination port> <protocol name>.

Notes

RiOS doesn’t validate the expression. A regular expression can contain special characters and embedded spaces that are unique to the regular expression syntax. For details, see The Gnu Awk User's Guide.

The filter matches only against the source, destination, and application name. It doesn’t consider start times, reduction, and byte counts.

The filter separates IP addresses and ports with a colon for matching:

x.x.x.x:p for IPv4

[xxxx:xxxx::xxxx]:p for IPv6

Uppercase and lowercase don’t matter (“mapi” matches MAPI, MAPI-ENCRYPT, and any other application containing MAPI).

A connection matches if the match string occurs anywhere within it (that is, a colon (:) matches all rows), unless overridden by special regular expression language such as a caret (^) or a dollar sign ($).

– from source IP address/mask—Displays a text input field for the IP address and subnet mask. You can specify an IPv4 or an IPv6 IP address.

– from source port—Displays a text input field for the source port.

– to destination IP address/mask—Displays a text input field for the IP address and subnet mask. You can specify an IPv4 or an IPv6 IP address.

– to destination port—Displays a text input field for the destination port.

– that have errors—Displays connections with either application protocol errors or transport protocol errors.

– for application—Select an application name from the drop-down list. The application filter is only relevant for optimized connections.

– that were started before—Displays a text input field for the date and time. Use this format: yyyy/mm/dd hh:mm:ss.

– that were started after—Displays a text input field for the date and time. Use this format: yyyy/mm/dd hh:mm:ss.

– that are single-ended only—Displays SCPS and TCP proxy connections. Applies only to established connections.

– that are double-ended only—Displays RiOS and RiOS + SCPS connections. Applies only to established connections.

– for user—Displays a text field that accepts only a valid email ID as input, to filter on User Identity column values.

Starting with RiOS 9.7, this field reports User IDs for SMB encrypted, SMB signed, and MAPI over HTTP (MoH) connections that are optimized. The User IDs are propagated for any other traffic that uses the same IP address as the SMB or MoH traffic.

This field also displays for SteelHeads running RiOS 9.5 or later if you check the Enable SaaS User Identity (Office 365) check box in the Optimization > Protocols: HTTP Configuration page, and configure the SteelHead to support SaaS features. See Configuring HTTP optimization feature settings for details. Starting with RiOS 9.7, User IDs are also propagated for any traffic that uses the same IP address as Office 365 traffic.

3. To add another filter, click add filter again. You can add up to eight filters; they’re logically ANDed together and are all active at any given time. Continue adding filters until your query is complete.

4. Click Update.

To delete a filter

• Click the delete filter icon.

3 - Connections table

The connections table displays more information about each connection, filtered by the show statement and any filters in the query area. The connections table can show up to 500 connections at a time; it lists the total of all matching connections in the upper-right corner. From this table, you can view more details about each connection and perform operations on it. For example, you can reset connections or send a keepalive message to the outer remote machine for an optimized connection (the machine that is connected to the SteelHead).

For details about the query area, see 2 - Query area.

Connections with IPv6 addresses are split into two rows to accommodate the long address. The report encloses IPv6 addresses in square brackets, and the source address, destination address, and other information appear in different columns.

Icons in the CT and Notes columns indicate the connection type and attributes. Mouse over an icon and reveal a tooltip identifying its meaning.

The individual connections table displays additional information about each connection. Because this report can list hundreds of transient connections, you can sort the table by column heading (except for the Notes column). For example, you can sort the connections by source IP address.

To sort the table by row

• Click the table column heading.

The table contents reload, if necessary. Click the heading again to reverse the order. A small up or down triangle reflects the current bidirectional sort order.

To reset the connection sample

• Click the dice icon on the far left.

The table contents reappear in the original display. For example, if you sort the display by a particular type, and there are more than 500 connections of that type, click the dice icon to return to the original display.

The connections table displays this information:

Column	Icon	Description
		Click this triangle to display the current connections details. See Viewing the current connection details. Because the details are a snapshot in time, by the time you click the connection, it could be gone or in a different state. If the connection is no longer available, a message tells you that the connection is closed. To refresh the display, click Update.
		Protocol Error—Displays a protocol error for both transport and application conditions. This list contains some of the conditions that trigger errors; it is a small subset of possible error conditions: • When the Optimize Connections with Security Signatures feature is enabled (which prevents SMB signing). This is an expected response. For details about preventing SMB signing, see Configuring CIFS optimization. • If a problem occurs while optimizing encrypted MAPI traffic. For details about enabling optimization of encrypted MAPI traffic, see Configuring MAPI optimization. • If a problem occurs with SSL optimization or the secure inner channel. • If a SRDF protocol error occurs when attempting to optimize traffic originating from the LAN side of the SteelHead. Check the LAN-side Symmetrix array for compatibility. Click the connection for more details about the error.
CT (Connection Type)		Established—Indicates that the connection is established and active.
		Intentional Passthrough—Indicates that the connection was intentionally passed through unoptimized because of in-path rules.
		Failed terminated—Indicates that the connection was passed through unoptimized.
		Failed packet-mode—Indicates that the packet-mode flow was passed through unoptimized.
		Establishing—Indicates that the connection is initiating and isn’t yet fully established. The source and destination ports appear as n/a.
		Opening (Optimized)—Indicates that the connection is half-open and active. A half-open connection is a TCP connection that has not been fully established.
		Closing (Optimized)—Indicates that the connection is half-closed and active. A half-closed connection has been intercepted and optimized by the SteelHead but is in the process of becoming disconnected.
		Forwarded—Indicates that the connection is forwarded by the connection-forwarding neighbor managing the connection. For details about connection forwarding, see Configuring connection forwarding features.
Notes		Displays connection icons that indicate the current state of the connection. The connection states can be one of these:
		Compression Enabled—Indicates that LZ compression is enabled.
		SDR Enabled—Indicates that SDR optimization is enabled.
		WAN Encryption Enabled—Indicates that encryption is enabled on the secure inner channel (WAN). For details, see Configuring secure peers.
		Cloud Acceleration ON—Indicates that the legacy cloud acceleration service for SaaS applications is enabled.
Source:Port		Displays the connection source IP address and port.
Destination:Port		Displays the connection destination IP address and port.
LAN/kB WAN/kB		Displays the amount of LAN or WAN throughput, in kilobytes.
Reduction		Displays the degree of WAN traffic optimization as a percentage of LAN traffic sent. Higher percentages mean that fewer bytes were sent over the WAN. Red squares indicate that an optimizing connection is currently showing 0 percent data reduction, which might be caused by multiple scenarios. Typically, 0 percent data reduction occurs when the system is optimizing a session containing encrypted payload. You can set up an in-path pass-through rule to prevent the system from interception the connection for optimization.
Start Time		Displays the time that the connection was started. This column doesn’t apply to preexisting connections. Select the column heading to sort data start time in ascending or descending order.
Application		Displays the application associated with the connection: for example: TCP, CIFS, MAPI, eMAPI-OA (encrypted MAPI Outlook Anywhere), SMB31-ENCRYPED, SMB21-SIGNED, or HTTP. When Application Visibility is enabled (the default), the table displays the hierarchical, DPI-based application name (for example, HTTP > Facebook), instead of just the port-based name (for example, HTTP). When you expand a connection, a new Application row displays the hierarchical name, when available, or the port-based name if not. (For newly formed connections, the application name might have changed from what was reported in the table). Application visibility gives you a better sense of what applications are running instead of just seeing traffic through port numbers or web traffic classified as generic HTTP.
User Identity		Starting with RiOS 9.7, this field reports User IDs for SMB encrypted, SMB signed, and MoH connections that are optimized. The User IDs are propagated for any other traffic that uses the same IP address as the SMB or MoH 365 traffic. Starting with RiOS 9.5, this field also displays the user ID for Office 365 traffic when the SaaS User Identity feature is enabled in the Optimization > Protocols: HTTP page. See Configuring HTTP optimization feature settings for details. Starting with RiOS 9.7, user IDs are also propagated for any traffic that uses the same IP address as Office 365 traffic. The following caveats apply to the SMB and MoH reporting feature: • For the user ID to appear in the client-side SteelHead’s current connections report, both the client-side and server-side SteelHeads must be running a RiOS version of 9.7 or later. • Network address translation (NAT) cannot be used before traffic reaches the SteelHead. • The SteelHead appliance extracts and reports User IDs each time any SMB encrypted, SMB signed, and MoH connections are optimized. User IDs are also extracted and reported for Office 365 SaaS connections if SaaS User Identity is enabled. If traffic that does not match those properties is received on the same IP address on which User IDs have been extracted, that traffic is reported as having the same user ID as the last-reported SMB, MoH, or SaaS connection. • This feature is enabled by default; to disable or reenable this feature, enter the [no] user-identity propagation enable and, optionally, [no] user-identity sources enable commands. See the Riverbed Command-Line Interface Reference Manual for command details.

For information on removing an unknown SteelHead from the current connections list, see Preventing an unknown (or unwanted) SteelHead from peering.

Viewing the current connection details

The Current Connections report displays details about the connected appliances, such as the source and destination IP address, the peer SteelHead, the inner local port, and so on. You can also perform these operations:

• For optimized connections, send a keepalive message to the outer remote machine (the machine that is connected to this appliance)

• Reset any connection, optimized or pass-through

• Retrieve the most recent data for a connection

The report doesn’t allow the connection details to refresh automatically, because doing so could slow down the SteelHead; however, the connection age updates when you manually refresh the page.

To view current connection details

1. Choose Reports > Networking: Current Connections.

2. Click the arrow next to the connection in the connections table to see more details about an individual connection and perform operations on it. Because this report is a snapshot in time, by the time you click it, the connection could be gone or in a different state. Click Update to refresh the display.

Current Connections Details for an Optimized Connection

To close the connection details report

• Click the close icon.

4 - Connection details

The expanded connection details vary, depending on the nature of the connection.

Optimized connection details

This table summarizes details about individual optimized connections. The fields that appear are dependent on the type of connection.

Field	Description
Connection type	Shows the connection type icon and whether the connection is established, opening, or closing.
Connection age	Shows the time since the connection was created.
Application	Shows the application corresponding to the connection (for example, NFS). When Application Visibility is enabled, more detailed protocol information is shown for some applications. For example, HTTP-SharePoint appears as the WebDAV or FPSE protocols and Office 365 appears as MS-Office-365 instead of HTTP.
Application error	Displays the application protocol error, if one exists.
Transport	Shows the transport protocol name: for example, SSL inner.
Transport error	Displays the transport protocol error, if one exists.
User Name	Shows the SSO user ID for Office 365 users.
User Domain	Shows the SSO user domain for Office 365 users.
Client side	Displays whether this appliance is on the client side.
Protocol	Shows the low-level protocol that RiOS is using inside the packet-mode channel. The protocol can be UDP, TCP, or variants.
SaaS application	Shows the SaaS application name, if one exists.
Cloud acceleration state	Shows the SaaS connection state, if a SaaS application is running (with the legacy cloud acceleration service).
Inbound QoS class	Shows the QoS inbound class the connection is associated with when shaping is enabled. When the connection carries multiple classes, the report displays Variable.
Outbound QoS class	Shows the QoS outbound class the connection is associated with when shaping is enabled. When the connection carries multiple classes, the report displays Variable.
Outbound QoS DSCP	Shows the DSCP marking value for the connection when marking is enabled, even if it is zero. The report displays the value from the inner ToS. When the connection carries multiple values, the report displays Variable. When relevant, the Notes section displays several details that are binary in nature.
GeoDNS IP result	Shows the GeoDNS IP address that the SteelHead is using to optimize Office 365. The connection summary displays the original destination IP address.
Notes	In-path- This connection is in-path. SkipWare compression in—The single-ended optimized connection is applying Skipware105 compression on incoming data. SkipWare compression out—The single-ended optimized connection is applying Skipware105 compression on outgoing data. Pre-existing—The connection existed before the last restart of the optimization service. Pre-existing asymmetric—The connection is traveling an asymmetric route and existed before the last restart of the optimization service. Optimized connections might show the following notes: • Client side—The SteelHead is on the client side of the connection. • SDR optimized—SDR optimization is enabled. • LZ compressed—LZ compression is enabled. Packet-mode optimized connections might show the following note: • Incomplete parse—The inner channel exists but the connection through the channel isn’t fully formed. Optimized, nonpacket mode connections might show the following notes: • In-path—This is an in-path connection. • Single-ended—The connection involves only one SteelHead. • WAN encrypted—Encryption is enabled on the secure inner channel (WAN). • Cloud accelerated—The legacy cloud acceleration service for SaaS applications is enabled. SCPS connections show at least one of the following notes: • SCPS initiate: WAN side—The SteelHead has initiated the SCPS connection on the WAN. • SCPS initiate: LAN side—The SteelHead has initiated the SCPS connection on the LAN. • SCPS terminate: WAN side—The SteelHead has terminated the SCPS connection on the WAN. • SCPS terminate: LAN side—The SteelHead has terminated the SCPS connection on the LAN.
WAN and LAN-Side Statistics	LAN Bytes—Displays the total LAN bytes transmitted. WAN Bytes—Displays the total WAN bytes transmitted. Retransmitted—Displays the total packets retransmitted. Fast Retransmitted—Displays the total packets fast retransmitted. Fast retransmit reduces the time a sender waits before retransmitting a lost segment. If an acknowledgment isn’t received for a particular segment within a specified time (a function of the estimated round-trip delay time), the sender assumes the segment was lost in the network, and retransmits the segment. Timeouts—Displays the number of packet transmissions that timed out because no ACK was received. Congestion Window—Displays number of unACKed packets permitted, adjusted automatically by the SteelHead, depending on WAN congestion.

3. Optionally, to print the report, choose File > Print in your web browser to open the Print dialog box.

Path selection connection details

This table summarizes details about optimized and pass-through TCP connections using path selection. It displays the history of the three recent uplinks, in case the connection switches uplinks after an uplink goes down. This summary includes only nonpacket-mode flows.

You can filter based on connections for a specific path selection uplink name by entering the name into the matching regular expression filter.

Data	Description (varies by connection)
Relayed	Displays the number of bytes relayed if all uplinks are down.
Dropped	Displays the number of bytes dropped if all uplinks are down.
Bypassed	Displays the number of bytes bypassed if all uplinks are down.
Reflected	Displays the number of bytes reflected.
Local uplink	Displays the uplink name.
Remote uplink	Displays the remote uplink name.
Status	Displays whether the uplink is reachable (Up) or unreachable (Down).
Last started	Displays the time the connection started using the uplink.
Bytes	Displays the total number of bytes transferred through the uplink. The LAN kB value and this number don’t match. This value displays only the bytes using path selection on the WAN.
DSCP	Displays the DSCP marking set for the uplink.

For details, see Path selection.

Individual pass-through or forwarded connection details

This table summarizes details about individual pass-through or forwarded connections.

Data

Description (varies by connection)

Connection Information

Connection Type—Displays a connection type icon and whether the pass-through was intentional or unintentional. Displays the forwarded reduction percentage bar for forwarded connections.

Connection Age—Displays the time since the connection was created.

Transport—Displays the transport protocol name: for example, SSL inner.

Application—Displays the application corresponding to the connection: for example, NFS.

Client-Side—Displays whether the connection is on the client side.

Pre-Existing—Displays whether the connection existed before the last restart of the optimization service.

Passthrough Reason—Displays the reason for passing through or forwarding the connection.

Pass-through reasons

This table shows the connection pass-through reasons.

Value	Pass-through reason (varies by connection)	Description	Action
0	None	None	None
1	Preexisting connection	Connection existed before SteelHead started.	Create a connection.
2	Connection paused	SteelHead isn’t intercepting connections.	Check that the service is enabled, in-path is enabled, the neighbor configuration, and whether the SteelHead is in admission control.
3	SYN on WAN side	Client is on the SteelHead WAN side.	Either this is the server-side SteelHead and there’s no client-side SteelHead, or the client-side SteelHead did not probe. Check the cabling if it is really the client-side SteelHead.
4	In-path rule	In-path rule matched on the client-side SteelHead is pass-through.	Check the in-path rules.
5	Peering rule	Peering rule matched on the server-side SteelHead is pass-through.	Check the peering rules.
6	Inner failed to establish	Inner connection between SteelHeads failed.	Check the connectivity between the client-side SteelHead and the server-side SteelHead.
7	Peer in fixed-target rule down	The target of a fixed-target rule is destined to a failed peer.	Check the connectivity between the client-side SteelHead and the server-side SteelHead.
8	No SteelHead on path to server	No server-side SteelHead.	Check that the server-side SteelHead is up and check that the connection goes through the server-side SteelHead.
9	No route for probe response	No route to send back probe response.	Check in-path gateway on the server-side SteelHead.
10	Out of memory	Memory problem while copying packet.	Check if the SteelHead is out of memory.
11	No room for more TCP options	Not enough space in TCP header to add probe.	This condition occurs when another device added TCP options before the SteelHead. Take a TCP dump to check which TCP options are in the SYN packet. Search for those options to learn what device uses them.
12	No proxy port for probe response	There is no service port configured on server-side SteelHead.	Configure a service port.
13	RX probe from failover buddy	The connection is intercepted by failover buddy.	No action is necessary.
14	Asymmetric routing	The connection is asymmetric.	Check the asymmetric routing table for reason.
15	Middle SteelHead	The SteelHead isn’t the first or last SteelHead.	Only happens when the Enhanced Auto-Discovery Protocol is enabled.
16	Error connecting to server	The server-side SteelHead couldn’t connect to the server.	Only happens when the Enhanced Auto-Discovery Protocol is enabled.
17	Half open connections above limit	The client has too many half-opened connections.	Check if many connections open quickly from the same client.
18	Connection count above QOS limit	There are too many connections for that QoS class.	Check the QoS class.
19	Reached maximum TTL	The probe has an incorrect TTL.	Take a trace to check the probe.
20	Incompatible probe version	The probe has an incompatible version number.	Check if the new probe format is enabled, it is disabled by default.
21	Too many retransmitted SYNs	The client SYN has been retransmitted too many times.	Check if there’s a firewall that doesn’t like the probe TCP option.
22	Connection initiated by neighbor	The connection is intercepted by a neighbor.	No action is necessary.
23	Connection for local host	The connection is to the in-path interface.	No action is necessary.
24	Unknown reason	The pass-through reason doesn’t match any other description.	No action is necessary.
25	Connection from proxy target	Because the connection originates from an IP address that is also the IP address of a fixed-target rule, it isn’t intercepted.	No action is necessary.
26	SYN before SFE outer completes	The client connection was passed through at the client-side SteelHead and the client's pure SYN was seen at the server-side SteelHead.	Check if there’s a firewall that doesn’t like the probe TCP option.
27	Transparent inner on wrong VLAN	The inner connection seen on VLAN is different than the in-path VLAN.	No action is necessary.
28	Transparent inner not for this host	The inner connection is not meant for this host.	No action is necessary.
29	Error on neighbor side	The neighbor SteelHead returned an error to a connection-forwarding request.	Check the health of the configured neighbors.
30	SYN/ACK, but no SYN	There is asymmetric routing - received SYN/ACK but no SYN.	Check your routing.
31	Transparency packet from self	For Riverbed internal use only.	No action is necessary.
32	System is heavily loaded	The SteelHead is experiencing a heavy traffic load.	Contact Support. You might require a larger model SteelHead.
33	SYN/ACK at MFE not SFE	There is asymmetric routing around the server-side SteelHead.	Check your routing.
34	Windows branch mode detected	The client-side is a Client Accelerator. Optimization is occurring between the Client Accelerator and the server-side SteelHead, so the connection is passed through on the client-side SteelHead.	No action is necessary.
35	Transparent RST to reset firewall state	The optimization service has sent an RST to clear the probe connection created by the SteelHead and to allow for the full transparent inner connection to traverse the firewall.	No action is necessary.
36	Error on SSL inner channel	An inner channel handshake has failed with peer.	Check the SSL configuration on both SteelHeads.
37	Netflow only: Ricochet packet of optimized connection	This pass-through reason is attributed to a flow reported to a NetFlow v9 collector. A probe and packet have been sent by the SteelHead back through itself. For example, in an in-path setup, if a client-side SteelHead gateway is on its WAN side, all packets sent to the client will first go to the gateway and be sent back through the SteelHead on the way to the client.	Packet ricochet can be avoided in many environments by enabling simplified routing.
38	Passthrough due to MAPI admission control	New MAPI connections will be passed through due to high connection count.	New MAPI connections are optimized automatically when the MAPI traffic has decreased.
39	A SYN or RST packet contains data
40	Failed to discover SCPS device	RiOS can’t find a SCPS device.
41	No matching client/server IPv6 scope	RiOS can’t set up the outer channel connection.	RiOS passes all packets through until it creates the outer channel.
42	Failed to create sport outer channel	RiOS can’t set up the outer channel connection.	RiOS passes all packets through until it creates the outer channel.
43	Flows not matching in-path rule	RiOS can’t match this traffic flow to any packet-mode optimization in-path rule. A packet-mode optimization rule defines the inner channel characteristics.	RiOS passes all packets through while the flow is in this state. Choose Optimization > In-Path rules to add a fixed-target packet-mode optimization in-path rule.
44	Packet mode channel setup pending	RiOS is attempting to set up the inner IPv4 or IPv6 channel connection.	RiOS passes all packets through until it creates the inner IPv4 or IPv6 channel.
45	Peer does not support packet-mode optimization	The peer SteelHead to which RiOS needs to establish the inner IPv4 or IPv6 channel connection doesn’t support packet-mode optimization or packet-mode optimization isn’t enabled.	RiOS stops trying to optimize connections using packet-mode optimization with the peer.
46	Generic Flow error	A packet-mode optimization traffic flow transitions to this state when RiOS encounters one of these unrecoverable errors: • There isn’t enough memory to set up the inner channel. • The system has requested that RiOS kill the traffic flow. When RiOS receives this error, the SteelHead abandons all attempts to optimize the flow.	RiOS passes the flow through for its lifetime.
47	Failed to cache sock pointer	While configured for packet-mode optimization, RiOS can’t locate the socket pointer used to exchange packets through the inner channel. The system is attempting to write packets to the ring, but the socket is closed. This condition can occur when the optimization service shuts down unexpectedly.	Choose Administration > Maintenance: Services and restart the optimization service.
48	Packet mode optimization disabled	The connection is being passed through because packet-mode optimization is disabled.	Choose Optimization > In-path Rules and enable packet-mode optimization.
49	Optimizing local connections only	On a SteelHead EX, the connection is being passed through because it did not originate locally.
50	Netflow only: probe packet of optimized connection
51	IPv6 connection forwarding requires multi-interface support	RiOS is passing the connection through because the client-side SteelHead is configured without multi-interface connection forwarding. This configuration doesn’t support IPv6.	Choose Networking > Connection Forwarding and enable multiple interface support.
52	Neighbor does not support IPv6	RiOS is passing the connection through because a connection-forwarding neighbor doesn’t support IPv6.	Upgrade the connection-forwarding neighbor to RiOS 8.0 or later.
53	Reached the hard limit for the number of entries	RiOS is passing the connection through because it hit the maximum allowed limit for nonreusable connection entries.
54	Connection or flow from GRE IPv4 tunnel

SaaS connection details

This table shows the SaaS connection details.

Value	Reason	Description	Action
0	None	None	None
1	Optimized connection	Connection is redirected through the SteelHead SaaS to a SaaS service.	No action is necessary.

Pass-through reasons for SaaS connections

This table lists the connection pass-through reasons for SaaS connections with the legacy cloud accelerator service.

Value	Pass-through reason (varies by connection)	Description	Action
2	Inner Connection through Cloud Accelerator	An inner connection to a remote SteelHead is running in the cloud.	No action is necessary.
3	Not a supported SaaS destination	Connection is through a SaaS service that isn’t supported, subscribed to, or enabled.	No action is necessary; however, if you want to optimize this destination IP address, contact Support.
4	Due to configured In-path rule	Connection isn’t redirected through the SteelHead SaaS due to an in-path rule to disable cloud acceleration.	Check that the Cloud Acceleration field in the relevant in-path rule is set to Auto.
5	Due to configured Peering rule	Connection isn’t redirected through the SteelHead SaaS due to a peering rule to disable cloud acceleration.	Check that the Cloud Acceleration field in the relevant peering rule is set to Auto.
6	Cloud acceleration disabled	Connection isn’t redirected through the SteelHead SaaS because it is disabled.	Check the cloud accelerator configuration. ChooseOptimization > Cloud Accelerator and select the Enable Cloud Acceleration check box in the Cloud Accelerator page.
7	Redirection disabled globally	Connection isn’t redirected through the SteelHead SaaS because cloud acceleration redirection is disabled.	Choose Optimization > Cloud Accelerator and select the Enable Cloud Acceleration Redirection check box in the Cloud Accelerator page.
8	Redirection disabled for relay	Connection isn’t redirected through SteelHead SaaS because cloud acceleration redirection for this in-path interface is disabled.	Check the Cloud Accelerator redirection configuration for the relevant in-path interface on the command-line interface. Enter this command on the command-line interface: show service cloud-accel For details, see the Riverbed Command-Line Interface Reference Manual.
9	Cloud proxy is down	Connection isn’t redirected through SteelHead SaaS because the redirection service encountered an error.	Contact Support.
10	No PQID added by first SteelHead	Connection isn’t redirected through SteelHead SaaS because the SteelHead closest to the client has SteelHead SaaS disabled or misconfigured.	Check the Cloud Accelerator configuration on the client-side SteelHead.
11	Failed to append CP code	Connection isn’t redirected through SteelHead SaaS because of a packet processing error.	Contact Support.
12	SYN retransmit (backhauled)	Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client.	Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead.
13	SYN retransmit (direct)	Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client.	Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead.
14	Passing to downstream SteelHead	Connection isn’t redirected through SteelHead SaaS because admission control is reached and there’s a SteelHead downstream that might optimize the connection.	No action is necessary.
15	Passthrough SYN retransmit	Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client.	Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead.
16	Rejected by cloud proxy	Connection isn’t redirected through SteelHead SaaS because the SteelHead SaaS network rejected the connection.	Contact Support.
17	Invalid Entitlement code	Connection isn’t redirected through SteelHead SaaS because of an invalid SteelHead SaaS configuration.	Contact Support.
18	Invalid timestamp	Connection isn’t redirected through SteelHead SaaS because the clock on the SteelHead isn’t synchronized.	Check the date and time settings on the SteelHead.
19	Invalid customer ID	Connection isn’t redirected through SteelHead SaaS because of an invalid SteelHead SaaS configuration.	Contact Support.
20	Invalid ESH ID	Connection isn’t redirected through SteelHead SaaS because of an invalid SCA configuration.	Contact Support.
21	Invalid SaaS ID	Connection isn’t redirected through SteelHead SaaS because of an invalid SCA configuration.	Contact Support.
22	Connection limit reached	Connection isn’t redirected through SteelHead SaaS because the subscription limit for the number of connections is reached.	Contact Support. You might require a higher SteelHead SaaS license.
23	Bandwidth limit reached	Connection isn’t redirected through SteelHead SaaS because the subscription limit for bandwidth used is reached.	Contact Support. You might require a higher SteelHead SaaS license.

5 - Tools

This section provides buttons that perform an operation on a single connection. It also provides a link to log information.

You can perform these operations:

Control	Description
Send Keep-Alive	For an optimized connection, click to send a keepalive message to the outer remote machine (the machine that is connected to this appliance). This operation isn’t available for a pass-through connection. This button is dimmed for users logged in as a monitor user.
Refresh Data	Click to retrieve the most recent data for the connection.
Reset Connection	Click to send an RST packet to both the client and server to close the connection. You can reset both optimized and pass-through connections. You can’t reset a forwarded connection. Note: If no data is being transferred between the client and server when you click Reset Connection, the connection isn’t reset immediately. It resets the next time the client or server tries to send a message. Therefore, when the application is idle, it might take a while for the connection to disappear. This button is dimmed for users logged in as a monitor user.
Log for this SteelHead	Click to go to the System Logs page.

6 - Network topology

This section shows a graphical representation of the connection source-to-destination network topology and information associated with the different elements. This graphic varies depending on the connection type and is only relevant for optimized connections. It doesn’t appear for pass-through connections.

The topology shows this information:

• All of the IP addresses and port numbers associated with the connection.

• Transparency mode, which describes the visibility of each actual IP address and port on the SteelHeads to each other, for terminated connections only. For details, see Configuring in-path rules.

• Channel ID and type for packet-mode flows only. For details, see Configuring in-path rules.

• Congestion control, including the method in use to mitigate WAN congestion. For details on congestion-control types, see Configuring TCP, satellite optimization, and high-speed TCP.

• SteelHead models and RiOS versions.

• A “YOU ARE HERE” label identifies the SteelHead whose page you are viewing.

7 - LAN/WAN table

This table shows raw tallies for LAN and WAN connections to summarize data about channel processing for a specific connection. The table varies by type of connection.

Use this table to answer questions such as:

• For any given channel, how many bytes (or packets) did the channel receive and subsequently transmit?

• Which channels have processed the most traffic? The least traffic?

• What error types and quantities were encountered for traffic inbound from the WAN?

• What error types and quantities were encountered for traffic inbound from the LAN?

This table provides an explanation for some of the fields.

Field	Description
Bytes	The total of transmitted LAN and WAN bytes.
Packets	The total of transmitted WAN and LAN packets.
Retransmitted	The total of retransmitted WAN and LAN packets.
Fast Retransmitted	The total fast-retransmitted packets. Fast retransmit reduces the time a sender waits before retransmitting a lost segment. If an acknowledgment isn’t received for a particular segment within a specified time (a function of the estimated round-trip delay time), the sender assumes the segment was lost in the network, and retransmits the segment.
Timeouts	The number of packet transmissions that timed out because no ACK was received.
Congestion Window	Displays number of unACKed packets permitted, adjusted automatically by the SteelHead, depending on WAN congestion.