For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shayne_Rinne_84's avatar
Shayne_Rinne_84
Icon for Nimbostratus rankNimbostratus
Apr 24, 2008

F5 as a default gateway

Hello,     We are running CA siteminder policy servers on Solaris 8 behind a BIG IP LTM, and many of our connections to Active Directory LDAP User directories are going into a TCP IDLE state. T...
config
design
Shayne_Rinne_84's avatar
Shayne_Rinne_84
Icon for Nimbostratus rankNimbostratus
Jul 03, 2008
Thank-you for the replies. It turns out that loose-initiation in combination with loose close is the issue. The F5 is sending a RST 60 seconds after the first FIN to both the Solaris and MS server. This causes the Solaris server to create a TCP IDLE state connection that can be only cleared by restarting the process holding the connection. We have understood the reset to be sent based on our loose close enabled, a 60 sec TCP Close timeout and reset on close enabled. We are looking at our options and have come up with 3:

 

 

1. Turn off reset on close

 

2. Turn off loose close

 

3. Increase the close timeout to match the IDLE timeout

 

 

Any recommendations?