Connections to outside databases timeout

Question

Hi All, 
&nbsp;  
&nbsp; I have a situation where outgoing connections from a pair of load-balanced shibboleth servers to a non-load-balanced oracle database are timing out after five minutes.  Prior to being moved to the F5 LTM, this was not happening. 
&nbsp;  
&nbsp; We addressed a similar problem with ssh sessions by adding some variables to the sshd_config on the servers in question, but I'd prefer to address on the load-balancers themselves.   
&nbsp;  
&nbsp; Looking at the tcp profile, it would appear that I might be able to fix this by using a custom tcp profile with an increased idle timeout, or by doing something similar with a persistence profile, but neither has worked so far, according to the customer. 
&nbsp;  
&nbsp; Has anyone else run into this or something similar?  Am I even looking in the right place to address this issue? 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Sid

hoolio · Answer

Hi Sid, 
&nbsp;  
&nbsp; Are the outbound connections to the DB using a VIP with SNAT automap?  If so, you might be hitting a hardcoded 300 second timeout on the SNAT automap.  Take a look at the following solutions for some additional info and options: 
&nbsp;  
&nbsp; SOL7606: Overview of BIG-IP LTM idle session timeouts 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/600/sol7606.html (Click here)  
&nbsp;  
&nbsp; SOL6017: The BIG-IP LTM SNAT automap has a static timeout value of 300 seconds   
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6017.html (Click here) 
&nbsp;  
&nbsp; Aaron

sstafford · Answer

Thanks Hoolio, those kicked loose enough mental debris that I was able to address the behavior.  Essentially the problem originated with the idle timeout setting on a FastL4 profile associated with a Wildcard virtual server--set by default to 5 minutes. If I increase that setting to 10 minutes, then the database connection problem goes away, as the idle timeout on the F5 side is now longer than that of the database servers themselves. Here's the entry from the bigip.conf for the new FastL4 profile, should anyone be interested; 
&nbsp;  
&nbsp; profile fastL4 fastl4HiTimeout { 
&nbsp;   defaults from fastL4 
&nbsp;   reset on timeout enable 
&nbsp;   reassemble fragments disable 
&nbsp;   idle timeout 600 
&nbsp;   tcp handshake timeout 5 
&nbsp;   tcp close timeout 5 
&nbsp;   mss override 0 
&nbsp;   pva acceleration full 
&nbsp;   tcp timestamp preserve 
&nbsp;   tcp wscale preserve 
&nbsp;   tcp generate isn disable 
&nbsp;   tcp strip sack disable 
&nbsp;   ip tos to client pass 
&nbsp;   ip tos to server pass 
&nbsp;   link qos to client pass 
&nbsp;   link qos to server pass 
&nbsp;   rtt from client disable 
&nbsp;   rtt from server disable 
&nbsp;   loose initiation disable 
&nbsp;   loose close disable 
&nbsp;   software syncookie disable 
&nbsp; }

Forum Discussion

Connections to outside databases timeout

2 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Create cipher group in f5

Buy F5 Big-IP Virtual Edition Lab licence in FR

VMware Horizon app and X-Forwarded-For

Requests with 307 responses not logged (missing) in ASM events

Big-IP sending Health Check to not-used Node-IP

Related Content

Edge to Pulse: IP Geolocation Database Migration

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Auto updates GeoIP database on Big IP.

Ipsec.lookupspi database variable

Monitoring Open Source databases with BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS