Forum Discussion
Do Keep Alives renew Source Persistence table entry
- May 03, 2017
Ok, I labbed this up today and thought I would share my results. In summary, source persistence is not renewed when using a standard virtual with long live connections and keep alives.
My scenario: I used SSH as the protocol. Standard virtual server with a modified tcp-lan-optimization profile. Modified settings to 300 tcp timeout and changed the keep alive interval to 150. I then created a source persistence profile and set the timeout at 400 seconds. I created the pool and attached all profiles and kicked off a tcp dump and viewed the VS and Source persistence connections from the CLI.
What I found was that the tcp timeout would renew every 150 seconds. This was expected as the timeout interval probe is set to 150 seconds. However, the source persistence for the connection never changed and it eventually timed out after 400 seconds. I suspect this is because of the full proxy nature of the standard virtual server. Each connection on the proxy is simply probing and not really passing traffic through the F5 thus not resetting the source persistence record. This is the confusing piece I was finding on the internet and on Dev Central, there wasnt any clear documentation on how this worked. All docs I found said "any" packet would reset persistence but didnt specify what type of virtuals and configurations might not reset source persistence.
I also tested this with fastl4, this was completely different. The probes actually traversed the F5 and reset source persistence.
In the end, I was able to confirm that this was not a F5 bug and instructed the customer to adjust keep alive intervals on the tcp profile. FYI, fastl4 was not an option because they were offloading ssl.
Ok, I labbed this up today and thought I would share my results. In summary, source persistence is not renewed when using a standard virtual with long live connections and keep alives.
My scenario: I used SSH as the protocol. Standard virtual server with a modified tcp-lan-optimization profile. Modified settings to 300 tcp timeout and changed the keep alive interval to 150. I then created a source persistence profile and set the timeout at 400 seconds. I created the pool and attached all profiles and kicked off a tcp dump and viewed the VS and Source persistence connections from the CLI.
What I found was that the tcp timeout would renew every 150 seconds. This was expected as the timeout interval probe is set to 150 seconds. However, the source persistence for the connection never changed and it eventually timed out after 400 seconds. I suspect this is because of the full proxy nature of the standard virtual server. Each connection on the proxy is simply probing and not really passing traffic through the F5 thus not resetting the source persistence record. This is the confusing piece I was finding on the internet and on Dev Central, there wasnt any clear documentation on how this worked. All docs I found said "any" packet would reset persistence but didnt specify what type of virtuals and configurations might not reset source persistence.
I also tested this with fastl4, this was completely different. The probes actually traversed the F5 and reset source persistence.
In the end, I was able to confirm that this was not a F5 bug and instructed the customer to adjust keep alive intervals on the tcp profile. FYI, fastl4 was not an option because they were offloading ssl.
- JGMay 04, 2017Cumulonimbus
There is a better option to keep ssh connections live than using TCP keepalive and a persistence profile. There are configuration options "ServerAliveInterval" and "ClientAliveInterval" in openssh to keep this on the application layer. I think Putty can be configured similarly. This is also a much better option than having the user modify the kernel parameters of their OS.
- xXhd1912Xx_1953May 04, 2017Cirrus
True, but my client is using a vendor specific protocol that is long lived, ssh or ftp were the only readily available and easy options for me to try and replicate this scenario.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com