Value | Pass-through reason (varies by connection) | Description | Action |
|---|---|---|---|
0 | None | None | None |
1 | Preexisting connection | Connection existed before SteelHead started. | Create a connection. |
2 | Connection paused | SteelHead isn’t intercepting connections. | Check that the service is enabled, in-path is enabled, the neighbor configuration, and whether the SteelHead is in admission control. |
3 | SYN on WAN side | Client is on the SteelHead WAN side. | Either this is the server-side SteelHead and there’s no client-side SteelHead, or the client-side SteelHead did not probe. Check the cabling if it is really the client-side SteelHead. |
4 | In-path rule | In-path rule matched on the client-side SteelHead is pass-through. | Check the in-path rules. |
5 | Peering rule | Peering rule matched on the server-side SteelHead is pass-through. | Check the peering rules. |
6 | Inner failed to establish | Inner connection between SteelHeads failed. | Check the connectivity between the client-side SteelHead and the server-side SteelHead. |
7 | Peer in fixed-target rule down | The target of a fixed-target rule is destined to a failed peer. | Check the connectivity between the client-side SteelHead and the server-side SteelHead. |
8 | No SteelHead on path to server | No server-side SteelHead. | Check that the server-side SteelHead is up and check that the connection goes through the server-side SteelHead. |
9 | No route for probe response | No route to send back probe response. | Check in-path gateway on the server-side SteelHead. |
10 | Out of memory | Memory problem while copying packet. | Check if the SteelHead is out of memory. |
11 | No room for more TCP options | Not enough space in TCP header to add probe. | This condition occurs when another device added TCP options before the SteelHead. Take a TCP dump to check which TCP options are in the SYN packet. Search for those options to learn what device uses them. |
12 | No proxy port for probe response | There is no service port configured on server-side SteelHead. | Configure a service port. |
13 | RX probe from failover buddy | The connection is intercepted by failover buddy. | No action is necessary. |
14 | Asymmetric routing | The connection is asymmetric. | Check the asymmetric routing table for reason. |
15 | Middle SteelHead | The SteelHead isn’t the first or last SteelHead. | Only happens when the Enhanced Auto-Discovery Protocol is enabled. |
16 | Error connecting to server | The server-side SteelHead couldn’t connect to the server. | Only happens when the Enhanced Auto-Discovery Protocol is enabled. |
17 | Half open connections above limit | The client has too many half-opened connections. | Check if many connections open quickly from the same client. |
18 | Connection count above QOS limit | There are too many connections for that QoS class. | Check the QoS class. |
19 | Reached maximum TTL | The probe has an incorrect TTL. | Take a trace to check the probe. |
20 | Incompatible probe version | The probe has an incompatible version number. | Check if the new probe format is enabled, it is disabled by default. |
21 | Too many retransmitted SYNs | The client SYN has been retransmitted too many times. | Check if there’s a firewall that doesn’t like the probe TCP option. |
22 | Connection initiated by neighbor | The connection is intercepted by a neighbor. | No action is necessary. |
24 | Unknown reason | The pass-through reason doesn’t match any other description. | No action is necessary. |
25 | Connection from proxy target | Because the connection originates from an IP address that is also the IP address of a fixed-target rule, it isn’t intercepted. | No action is necessary. |
26 | SYN before SFE outer completes | The client connection was passed through at the client-side SteelHead and the client's pure SYN was seen at the server-side SteelHead. | Check if there’s a firewall that doesn’t like the probe TCP option. |
27 | Transparent inner on wrong VLAN | The inner connection seen on VLAN is different than the in-path VLAN. | No action is necessary. |
28 | Transparent inner not for this host | The inner connection is not meant for this host. | No action is necessary. |
29 | Error on neighbor side | The neighbor SteelHead returned an error to a connection-forwarding request. | Check the health of the configured neighbors. |
30 | SYN/ACK, but no SYN | There is asymmetric routing - received SYN/ACK but no SYN. | Check your routing. |
31 | Transparency packet from self | For Riverbed internal use only. | No action is necessary. |
32 | System is heavily loaded | The SteelHead is experiencing a heavy traffic load. | Contact Support. You might require a larger model SteelHead. |
33 | SYN/ACK at MFE not SFE | There is asymmetric routing around the server-side SteelHead. | Check your routing. |
34 | Windows branch mode detected | The client-side is a SteelHead Mobile. Optimization is occurring between the SteelHead Mobile and the server-side SteelHead, so the connection is passed through on the client-side SteelHead. | No action is necessary. |
35 | Transparent RST to reset firewall state | The optimization service has sent an RST to clear the probe connection created by the SteelHead and to allow for the full transparent inner connection to traverse the firewall. | No action is necessary. |
36 | Error on SSL inner channel | An inner channel handshake has failed with peer. | Check the SSL configuration on both SteelHeads. |
37 | Netflow only: Ricochet packet of optimized connection | This pass-through reason is attributed to a flow reported to a NetFlow v9 collector. A probe and packet have been sent by the SteelHead back through itself. For example, in an in-path setup, if a client-side SteelHead gateway is on its WAN side, all packets sent to the client will first go to the gateway and be sent back through the SteelHead on the way to the client. | Packet ricochet can be avoided in many environments by enabling simplified routing. |
38 | Passthrough due to MAPI admission control | New MAPI connections will be passed through due to high connection count. | New MAPI connections are optimized automatically when the MAPI traffic has decreased. |
39 | A SYN or RST packet contains data | ||
40 | Failed to discover SCPS device | RiOS can’t find an SCPS device. | |
41 | No matching client/server IPv6 scope | RiOS can’t set up the outer channel connection. | RiOS passes all packets through until it creates the outer channel. |
42 | Failed to create sport outer channel | RiOS can’t set up the outer channel connection. | RiOS passes all packets through until it creates the outer channel. |
43 | Flows not matching in-path rule | RiOS can’t match this traffic flow to any packet-mode optimization in-path rule. A packet-mode optimization rule defines the inner channel characteristics. | RiOS passes all packets through while the flow is in this state. Choose Optimization > In-Path rules to add a fixed-target packet-mode optimization in-path rule. |
44 | Packet mode channel setup pending | RiOS is attempting to set up the inner IPv4 or IPv6 channel connection. | RiOS passes all packets through until it creates the inner IPv4 or IPv6 channel. |
45 | Peer does not support packet-mode optimization | The peer SteelHead to which RiOS needs to establish the inner IPv4 or IPv6 channel connection doesn’t support packet-mode optimization or packet-mode optimization isn’t enabled. | RiOS stops trying to optimize connections using packet-mode optimization with the peer. |
46 | Generic Flow error | A packet-mode optimization traffic flow transitions to this state when RiOS encounters one of these unrecoverable errors: • There isn’t enough memory to set up the inner channel. • The system has requested that RiOS kill the traffic flow. When RiOS receives this error, the SteelHead abandons all attempts to optimize the flow. | RiOS passes the flow through for its lifetime. |
47 | Failed to cache sock pointer | While configured for packet-mode optimization, RiOS can’t locate the socket pointer used to exchange packets through the inner channel. The system is attempting to write packets to the ring, but the socket is closed. This condition can occur when the optimization service shuts down unexpectedly. | Choose Administration > Maintenance: Services and restart the optimization service. |
48 | Packet mode optimization disabled | The connection is being passed through because packet-mode optimization is disabled. | Choose Optimization > In-path Rules and enable packet-mode optimization. |
49 | Optimizing local connections only | On a SteelHead EX, the connection is being passed through because it did not originate locally. | |
50 | Netflow only: probe packet of optimized connection | ||
51 | IPv6 connection forwarding requires multi-interface support | RiOS is passing the connection through because the client-side SteelHead is configured without multi-interface connection forwarding. This configuration doesn’t support IPv6. | Choose Networking > Connection Forwarding and enable multiple interface support. |
52 | Neighbor does not support IPv6 | RiOS is passing the connection through because a connection-forwarding neighbor doesn’t support IPv6. | Upgrade the connection-forwarding neighbor to RiOS 8.0 or later. |
53 | Reached the hard limit for the number of entries | RiOS is passing the connection through because it hit the maximum allowed limit for nonreusable connection entries. | |
54 | Connection or flow from GRE IPv4 tunnel |
Value | Pass-through reason (varies by connection) | Description | Action |
|---|---|---|---|
2 | Inner Connection through Legacy Cloud Accelerator | An inner connection to a remote SteelHead is running in the cloud. | No action is necessary. |
3 | Not a supported SaaS destination | Connection is through a SaaS service that isn’t supported, subscribed to, or enabled. | No action is necessary; however, if you want to optimize this destination IP address, contact Support. |
4 | Due to configured In-path rule | Connection isn’t redirected through the SteelHead SaaS due to an in-path rule to disable cloud acceleration. | Check that the Cloud Acceleration field in the relevant in-path rule is set to Auto. |
5 | Due to configured Peering rule | Connection isn’t redirected through the SteelHead SaaS due to a peering rule to disable cloud acceleration. | Check that the Cloud Acceleration field in the relevant peering rule is set to Auto. |
6 | Cloud acceleration disabled | Connection isn’t redirected through the SteelHead SaaS because it is disabled. | Check the Legacy Cloud Accelerator configuration. Choose Optimization > Legacy Cloud Accelerator and select the Enable Cloud Acceleration check box in the Legacy Cloud Accelerator page. |
7 | Redirection disabled globally | Connection isn’t redirected through the SteelHead SaaS because cloud acceleration redirection is disabled. | Choose Optimization > Legacy Cloud Accelerator and select the Enable Cloud Acceleration Redirection check box in the Legacy Cloud Accelerator page. |
8 | Redirection disabled for relay | Connection isn’t redirected through SteelHead SaaS because cloud acceleration redirection for this in-path interface is disabled. | Check the Legacy Cloud Accelerator redirection configuration for the relevant in-path interface on the command-line interface. Enter the show service cloud-accel CLI command on the command-line interface. For details, see the Riverbed Command-Line Interface Reference Guide. |
9 | Cloud proxy is down | Connection isn’t redirected through SteelHead SaaS because the redirection service encountered an error. | Contact Support. |
10 | No PQID added by first SteelHead | Connection isn’t redirected through SteelHead SaaS because the SteelHead closest to the client has SteelHead SaaS disabled or misconfigured. | Check the Legacy Cloud Accelerator configuration on the client-side SteelHead. |
11 | Failed to append CP code | Connection isn’t redirected through SteelHead SaaS because of a packet processing error. | Contact Support. |
12 | SYN retransmit (backhauled) | Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client. | Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead. |
13 | SYN retransmit (direct) | Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client. | Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead. |
14 | Passing to downstream SteelHead | Connection isn’t redirected through SteelHead SaaS because admission control is reached and there’s a SteelHead downstream that might optimize the connection. | No action is necessary. |
15 | Passthrough SYN retransmit | Connection isn’t redirected through SteelHead SaaS because too many SYN retransmits were received from the client. | Check if there’s a firewall that doesn’t allow inbound or outbound UDP packets for the SteelHead. |
16 | Rejected by cloud proxy | Connection isn’t redirected through SteelHead SaaS because the SteelHead SaaS network rejected the connection. | Contact Support. |
17 | Invalid Entitlement code | Connection isn’t redirected through SteelHead SaaS because of an invalid SteelHead SaaS configuration. | Contact Support. |
18 | Invalid timestamp | Connection isn’t redirected through SteelHead SaaS because the clock on the SteelHead isn’t synchronized. | Check the date and time settings on the SteelHead. |
19 | Invalid customer ID | Connection isn’t redirected through SteelHead SaaS because of an invalid SteelHead SaaS configuration. | Contact Support. |
20 | Invalid ESH ID | Connection isn’t redirected through SteelHead SaaS because of an invalid SCA configuration. | Contact Support. |
21 | Invalid SaaS ID | Connection isn’t redirected through SteelHead SaaS because of an invalid SCA configuration. | Contact Support. |
22 | Connection limit reached | Connection isn’t redirected through SteelHead SaaS because the subscription limit for the number of connections is reached. | Contact Support. You might require a higher SteelHead SaaS license. |
23 | Bandwidth limit reached | Connection isn’t redirected through SteelHead SaaS because the subscription limit for bandwidth used is reached. | Contact Support. You might require a higher SteelHead SaaS license. |