Forum Discussion
Doran_Lum_13484
Nimbostratus
NimbostratusClient receive socket error
Hi all, we have just finish the F5 VE setup and starting with the 1st tesing and we encounter socket error on the client side
We were able to telnet the VS IP & Port from the client.
I have capture the tcpdump between client to F5 and trying to understand the handshake part.. would anyone be able to advise ?
Note: I have replace the Source IP = Source IP and Virtual Server IP = VS
Tcp dump Client to F5
02:04:33.637019 IP SourceIP.61406 > VS.10443: S 393854717:393854717(0) win 8192
02:04:33.637120 IP VS.10443 > SourceIP.61406: S 1243836893:1243836893(0) ack 393854718 win 4380
02:04:33.639949 IP SourceIP.61406 > VS.10443: . ack 1 win 64240
02:04:33.645381 IP SourceIP.61406 > VS.10443: P 1:53(52) ack 1 win 64240
02:04:33.645436 IP VS.10443 > SourceIP.61406: P 1:803(802) ack 53 win 4380
02:04:33.658065 IP SourceIP.61406 > VS.10443: P 53:192(139) ack 803 win 63438
02:04:33.659210 IP VS.10443 > SourceIP.61406: . ack 192 win 4571
02:04:33.665987 IP SourceIP.61406 > VS.10443: P 192:198(6) ack 803 win 63438
02:04:33.666001 IP VS.10443 > SourceIP.61406: . ack 198 win 4577
02:04:33.675939 IP SourceIP.61406 > VS.10443: P 198:243(45) ack 803 win 63438
02:04:33.675991 IP VS.10443 > SourceIP.61406: . ack 243 win 4622
02:04:33.676781 IP VS.10443 > SourceIP.61406: P 803:809(6) ack 243 win 4622
02:04:33.676806 IP VS.10443 > SourceIP.61406: P 809:854(45) ack 243 win 4622
02:04:33.679213 IP SourceIP.61406 > VS.10443: . ack 854 win 63387
02:04:33.713061 IP SourceIP.61406 > VS.10443: P 243:456(213) ack 854 win 63387
02:04:33.713075 IP VS.10443 > SourceIP.61406: . ack 456 win 4835
02:04:38.637618 arp who-has VS tell 10.8.227.254
02:04:38.637648 arp reply VS is-at 00:50:56:84:0f:50 (oui Unknown)
02:04:45.675974 IP VS.10443 > SourceIP.61406: R 854:854(0) ack 456 win 4835
02:21:14.284465 arp who-has VS tell 10.8.227.254
02:21:14.284497 arp reply VS is-at 00:50:56:84:0f:50 (oui Unknown)
02:21:14.286888 IP SourceIP.61572 > VS.amanda: S 1407086659:1407086659(0) win 8192
02:21:14.287072 IP VS.amanda > SourceIP.61572: S 3400928483:3400928483(0) ack 1407086660 win 4380
02:21:14.297839 IP SourceIP.61572 > VS.amanda: . ack 1 win 64240
02:21:14.354429 IP SourceIP.61572 > VS.amanda: P 1:185(184) ack 1 win 64240
02:21:14.354708 IP VS.amanda > SourceIP.61572: . ack 185 win 4564
02:21:26.354475 IP VS.amanda > SourceIP.61572: R 1:1(0) ack 185 win 4564
02:21:44.002801 IP SourceIP.61573 > VS.amanda: S 2339575959:2339575959(0) win 8192
02:21:44.002899 IP VS.amanda > SourceIP.61573: S 939635479:939635479(0) ack 2339575960 win 4380
02:21:44.006175 IP SourceIP.61573 > VS.amanda: . ack 1 win 64240
02:21:44.072147 IP SourceIP.61573 > VS.amanda: P 1:185(184) ack 1 win 64240
02:21:44.072500 IP VS.amanda > SourceIP.61573: . ack 185 win 4564
02:21:49.002935 arp who-has VS tell 10.8.227.254
02:21:49.002970 arp reply VS is-at 00:50:56:84:0f:50 (oui Unknown)
02:21:56.071802 IP VS.amanda > SourceIP.61573: R 1:1(0) ack 185 win 4564
02:22:00.817201 IP SourceIP.61574 > VS.kamanda: S 1234005134:1234005134(0) win 8192
02:22:00.817378 IP VS.kamanda > SourceIP.61574: S 510475054:510475054(0) ack 1234005135 win 4380
02:22:00.820048 IP SourceIP.61574 > VS.kamanda: . ack 1 win 64240
02:22:00.859254 IP SourceIP.61574 > VS.kamanda: P 1:185(184) ack 1 win 64240
02:22:00.859539 IP VS.kamanda > SourceIP.61574: . ack 185 win 4564
02:22:12.858954 IP VS.kamanda > SourceIP.61574: R 1:1(0) ack 185 win 4564
IheartF5_45022Nacreous
My eyes hurt just looking at that - could you possibly put 1 packet per line?
Doran_LumI'm really sorry.. it looks better now
- Doran_Lum
Sorry to trouble, anyone have any experience on what might be wrong ? or let me know if you need more details
- IheartF5_45022
Hi Doran, You'll need to enable RST cause logging using the following command;-
modify /sys db tm.rstcause.log value enable
See the KB article here;-
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
- Doran_Lum
Thank you so much, I have reset the stats and send a test as below. Does this mean F5 is unable to transmit the TCP to the Application server ?
TCP/IP Reset Cause
RST Cause: Count
Flow expired (sweeper) 0
No local listener 0
No pool member available 0
No server selected 0
Port denied 0
SSL alert timeout exceeded 0
SSL handshake timeout exceeded 0
TCP 3WHS rejected 0
TCP retransmit timeout 2
- IheartF5_45022
It seems that way - what healthcheck do you have on the pool? Are you offloading or re-encrypting the SSL to the server? Any info on pool/virtual config or status would be helpful.
- Doran_Lum
Below is one of the health check and most of the rest are the same except for the Alias Service Port which are 15005, 15007, 18080, HTTP
For encryption, would you be refering to SSL Profile ? I would be using Client SSL Profile as below.
Health Monitor
Monitor_Pool_15005
Parition/Path: Common
Type: TCP
Parent Monitor: tcp
Interval: 5 seconds
Up Interval: Disabled
Time Until Up: 0
Timeout: 16 seconds
Manual Resume: No
Send String:
Receive String
Receive Disable String:
Reverse: No
Transparent: No
Alias Address: * All address
Alias Service Port: 15005
Monitor Instances: Monitor_Pool_15005
Node: DestinationIP
Address: DestinationIP
Service: 15005
Parition/Path
- Doran_LumRoutes
Name: 127.1.1.0/24
Destination: 127.1.1.0/24
Type: interface
NextHop: tmm0
Origin: connectedName : 10.8.227.0/24
Destination : 10.8.227.0/24
Type : interface
NextHop : /Common/external
Origin : connectedName : 10.8.228.0/24
Destination : 10.8.228.0/24
Type : interface
NextHop : /Common/external
Origin : connectedName : external
Destination : default_gateway _default
Type : gw
NextHop 10.8.227.254
Origin : static - Doran_LumNode
Node: 10.8.228.71 (10.8.228.71)
Status
Availability : available
State : enabled
Reason : Node address is available
Monitor : /Common/icmp (default node monitor)
Monitor Status : up
Session Status : enabled
Node: 10.8.228.72 (10.8.228.72)
Status
Availability : available
State : enabled
Reason : Node address is available
Monitor : /Common/icmp (default node monitor)
Monitor Status : up
Session Status : enabled
PoolPool: QA_TXAP_Pool_15005
Status
Availability : available
State : enabled
Reason : The pool is available
Monitor : Monitor_Pool_15005
Minimum Active Members : 0
Current Active Members : 2
Total Requests : 0 Current Sessions : 0Traffic ServerSide
Bits In 90.6K
Bits Out 0
Packets In 236
Packets Out 0
Current Connections 0
Maximum Connections 4
Total Connections 60
Pool: QA_TXAP_Pool_15007
Status
Availability : available
State : enabled
Reason : The pool is available
Monitor : Monitor_Pool_15007
Minimum Active Members : 0
Current Active Members : 2
Total Requests : 0 Current Sessions : 0Traffic ServerSide Bits In 0
Bits Out 0
Packets In 0
Packets Out 0
Current Connections 0
Maximum Connections 0
Pool: QA_TXAP_Pool_https
Status Availability : available
State : enabled
Reason : The pool is available
Monitor : Monitor_Pool_18080
Minimum Active Members : 0
Current Active Members : 2
Total Requests : 0 Current Sessions : 0Traffic ServerSide Bits In 0
Bits Out 0
Packets In 0
Packets Out 0
Current Connections 0
Maximum Connections 0
Total Connections 0
Pool: QA_TXEU_Pool_80
Status
Availability : available
State : enabled
Reason : The pool is available
Monitor : Monitor_Pool_80
Minimum Active Members : 0
Current Active Members : 2
Total Requests : 0 Current Sessions : 0Traffic ServerSide Bits In 0
Bits Out 0
Packets In 0
Packets Out 0
Current Connections 0
- IheartF5_45022
Have you enabled SNAT on the virtual? That's the most likely explanation for no return traffic coming from the server.
- Doran_Lum
I have create a SNAT Pool list and place the client server IP and destination application server IP inside.
On virtual, under I select the following but still encounter same error
Source Address Translation: SNAT
SNAT Pool: test SNAT