F5 as a default gateway

Sounds like a classic firewall/f5 long lived connection problem. If the connection through the F5 is idle for a long time it will be flushed from the connection table. Then when it's eventually closed by one end or the other, the packets (FIN/FINACK/ACK) will be dropped because there's no connection table entry to say where they're being balanced to.

 

 

There are a couple of options...

 

 

1. Enable tcp keepalives on the hosts, and set the keepalive timeouts lower than the connection table idle timeout (Only works if one of them requests SO_KEEPALIVE on the socket after creating it).

 

 

2. Increase the connection table idle timeout. (May cause the tables to grow quite large, so you're better off making that change on a VS specific to that port & destination IP).

 

 

3. Create a new tcp profile that uses loose-initiation/close. (Which will create a new connection table entry on any packet, not just the SYN/SYNACK/ACK sequence).

 

 

 

Option 3 is probably the best one... It won't affect connection table size, however it doesn't work if there is more than one way to route the packet and there is no shared state on the next hop (e..g when creating a firewall sandwhich the F5 has no way of knowing which of the poolmembers waas used for the original connection, so might guess wrong on the loosely opened one. But if you're just following the forwarding through another gateway, or do have sync'ed gateways, or the next hope doesn't do stateful connections, then you're in luck).

 

 

 

H