For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sstafford's avatar
sstafford
Icon for Nimbostratus rankNimbostratus
Mar 27, 2009

Connections to outside databases timeout

Hi All,

 

 

I have a situation where outgoing connections from a pair of load-balanced shibboleth servers to a non-load-balanced oracle database are timing out after five minutes. Prior to being moved to the F5 LTM, this was not happening.

 

 

We addressed a similar problem with ssh sessions by adding some variables to the sshd_config on the servers in question, but I'd prefer to address on the load-balancers themselves.

 

 

Looking at the tcp profile, it would appear that I might be able to fix this by using a custom tcp profile with an increased idle timeout, or by doing something similar with a persistence profile, but neither has worked so far, according to the customer.

 

 

Has anyone else run into this or something similar? Am I even looking in the right place to address this issue?

 

 

Thanks,

 

 

Sid
config
design

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 27, 2009
    Hi Sid,

     

     

    Are the outbound connections to the DB using a VIP with SNAT automap? If so, you might be hitting a hardcoded 300 second timeout on the SNAT automap. Take a look at the following solutions for some additional info and options:

     

     

    SOL7606: Overview of BIG-IP LTM idle session timeouts

     

    https://support.f5.com/kb/en-us/solutions/public/7000/600/sol7606.html (Click here)

     

     

    SOL6017: The BIG-IP LTM SNAT automap has a static timeout value of 300 seconds

     

    https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6017.html (Click here)

     

     

    Aaron
  • sstafford's avatar
    sstafford
    Icon for Nimbostratus rankNimbostratus
    Mar 27, 2009
    Thanks Hoolio, those kicked loose enough mental debris that I was able to address the behavior. Essentially the problem originated with the idle timeout setting on a FastL4 profile associated with a Wildcard virtual server--set by default to 5 minutes. If I increase that setting to 10 minutes, then the database connection problem goes away, as the idle timeout on the F5 side is now longer than that of the database servers themselves. Here's the entry from the bigip.conf for the new FastL4 profile, should anyone be interested;

     

     

    profile fastL4 fastl4HiTimeout {

     

    defaults from fastL4

     

    reset on timeout enable

     

    reassemble fragments disable

     

    idle timeout 600

     

    tcp handshake timeout 5

     

    tcp close timeout 5

     

    mss override 0

     

    pva acceleration full

     

    tcp timestamp preserve

     

    tcp wscale preserve

     

    tcp generate isn disable

     

    tcp strip sack disable

     

    ip tos to client pass

     

    ip tos to server pass

     

    link qos to client pass

     

    link qos to server pass

     

    rtt from client disable

     

    rtt from server disable

     

    loose initiation disable

     

    loose close disable

     

    software syncookie disable

     

    }