Forum Discussion
Cirrus11.5.1-HF3 - LTM monitor Resets
Hi,
I have a little problem with my new systems, which are running with 11.5.1-HF3.
At the moment, there is no active traffic on the systems. Only monitoring of the backend from my configured pools.
Here I can see, that a random pool sometimes is going down for a small time.
With wireshark I can see, that the bigip sometimes reset the connection of the haelthcheck and sends an ICMP unreachable to the backend. After 9 seconds everything is ok again.
The timeout of the member is 5 seconds, the monitor is default tcp.
With a http monitor - timout 10 seconds -, I allways have a downtime of 15 seconds.
It allways looks the same:
BIGIP sends a SYN
Backend sends a SYN, ACK
BIGIP sends a Destination unreacheable
BIGIP sends a RST, ACK
There is everywhere a cnnection limit of 0.
Anyone have an idea?
14 Replies
Arnaud_LemaireEmployee
Hi, is you monitor traffic coming back through the same vlan as you sent the request ?
TortiYes, it is all in the same vlan.
- Tortiadd from log: RST sent from $BIGIP:54321 to $BACKEND:30102, [0x1b60efd:1508] {peer} ICMP unreachable received RST sent from $BACKEND:30102 to $BIGIP:54321, [0x1b60efd:1508] ICMP unreachable received ...monitor status down
shaggyNimbostratus
(sorry if your VLAN answer above applies to this question) - Are the nodes on a directly-connected VLAN?
- Torti
the nodes are all on seperate vlans connected through an ASA.
I have nearly the same conifguration on 2 old systems with 11.2.1. Here, everything is running fine. - shaggy
I haven't seen this issue come across in 11.5, but I would start by examining the LTM and nodes' routing tables. I would expect a routing issue to always impact this traffic rather than randomly, but it's worth validating. Have you tried setting the monitor to gateway_icmp to see if it's a routing/connectivity issue?
- Tortii will check this
shaggy_121467Cumulonimbus
I haven't seen this issue come across in 11.5, but I would start by examining the LTM and nodes' routing tables. I would expect a routing issue to always impact this traffic rather than randomly, but it's worth validating. Have you tried setting the monitor to gateway_icmp to see if it's a routing/connectivity issue?
- Tortii will check this
- Torti
Ok, if I set the monitor of the most pools (47) to gateway_icmp, I don't get the error messages.
If I set them back to original one, I get the error messages again. - Jens-Martin_130
Did you find any solution for this problem? We are facing the same issues.
- Torti
yes, we have a solution, now. Its a feature of the release 11.5 (iptables).
They closed port 54321 on both sites - source and destination.- TortiThis will result in resets, if the backend server answer via 54321
