On 6/04/2017, at 12:25 AM, Abdoul Osséni <abdoul.osseni@gmail.com> wrote:
I have always this issue with NAT devices using VSS-Monitoring protocol.

A network capture shows:
- Kamailio sends a tcp keepalive
- The NAT device sends a tck keepalive ACK to Kamailio with a new filed : vss-monitoring

Frame 70: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Linux cooked capture
Internet Protocol Version 4, Src: x.x.x.x, Dst: x.x.x.x
Transmission Control Protocol, Src Port: 13178, Dst Port: 443, Seq: 2752, Ack: 6214, Len: 0
VSS-Monitoring ethernet trailer, Source Port: 0
Src Port: 0

Hi,

VSS-Monitoring is a function of your monitoring tap, is is not a function of your NAT box - http://www.vssmonitoring.com/resources/feature-brief/Port-and-Time-Stamping.pdf

It should not be included in the actual traffic packets going past the tap - only the packets that you see on your network analyser - if you find that it is included on actual packets, you need to talk to your networking people and get that fixed.

It is very unlikely that a NAT device sends anything other than synthesised RST packets. It certainly won’t be generating close notify TLS alerts - I’m not actually sure that it can, they might need to be authenticated.

If you are seeing a close notify, you should capture between the UAC and the NAT device - I believe you will see the close notify TLS alert coming from the UAC. If that is the case, you need to look at the UAC for why it’s doing that. Perhaps your UAC does not support TCP keepalives properly.

Nathan Ward