For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Torti's avatar
Torti
Icon for Cirrus rankCirrus
Jul 28, 2014

11.5.1-HF3 - LTM monitor Resets

Hi,

 

I have a little problem with my new systems, which are running with 11.5.1-HF3.

 

At the moment, there is no active traffic on the systems. Only monitoring of the backend from my configured pools.

 

Here I can see, that a random pool sometimes is going down for a small time.

 

With wireshark I can see, that the bigip sometimes reset the connection of the haelthcheck and sends an ICMP unreachable to the backend. After 9 seconds everything is ok again.

 

The timeout of the member is 5 seconds, the monitor is default tcp.

 

With a http monitor - timout 10 seconds -, I allways have a downtime of 15 seconds.

 

It allways looks the same:

 

BIGIP sends a SYN

 

Backend sends a SYN, ACK

 

BIGIP sends a Destination unreacheable

 

BIGIP sends a RST, ACK

 

There is everywhere a cnnection limit of 0.

 

Anyone have an idea?

 

application delivery
availability
deployment
LTM

14 Replies

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jul 28, 2014

    Hi, is you monitor traffic coming back through the same vlan as you sent the request ?

     

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Jul 28, 2014
    add from log: RST sent from $BIGIP:54321 to $BACKEND:30102, [0x1b60efd:1508] {peer} ICMP unreachable received RST sent from $BACKEND:30102 to $BIGIP:54321, [0x1b60efd:1508] ICMP unreachable received ...monitor status down
  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2014

    (sorry if your VLAN answer above applies to this question) - Are the nodes on a directly-connected VLAN?

     

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Jul 28, 2014

    the nodes are all on seperate vlans connected through an ASA.

     

    I have nearly the same conifguration on 2 old systems with 11.2.1. Here, everything is running fine.

     

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2014

    I haven't seen this issue come across in 11.5, but I would start by examining the LTM and nodes' routing tables. I would expect a routing issue to always impact this traffic rather than randomly, but it's worth validating. Have you tried setting the monitor to gateway_icmp to see if it's a routing/connectivity issue?

     

  • shaggy_121467's avatar
    shaggy_121467
    Icon for Cumulonimbus rankCumulonimbus
    Jul 28, 2014

    I haven't seen this issue come across in 11.5, but I would start by examining the LTM and nodes' routing tables. I would expect a routing issue to always impact this traffic rather than randomly, but it's worth validating. Have you tried setting the monitor to gateway_icmp to see if it's a routing/connectivity issue?

     

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Jul 30, 2014

    Ok, if I set the monitor of the most pools (47) to gateway_icmp, I don't get the error messages.

     

    If I set them back to original one, I get the error messages again.

     

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Sep 05, 2014

    yes, we have a solution, now. Its a feature of the release 11.5 (iptables).

     

    They closed port 54321 on both sites - source and destination.

     

    • Torti's avatar
      Torti
      Icon for Cirrus rankCirrus
      Sep 05, 2014
      This will result in resets, if the backend server answer via 54321