Forum Discussion

LillyM_9417's avatar
LillyM_9417
Icon for Altostratus rankAltostratus
Jul 18, 2012

FIN packet

Hello,

 

 

We are using this irule to send the client request (who is ready to send its data) to servers.

 

This irule does not help us to block the following situation.

 

- when a client complete 3-way handshake but does not send any data then send FIN packet.

 

In that time, something happen like this, "F5 assumes that the last FIN packet is a data and forward this client request to the server"

 

How can we prevent from this problem?

 

 

===========

 

when CLIENT_ACCEPTED {

 

TCP::collect 8

 

}

 

 

when CLIENT_DATA {

 

set pay1 [TCP::payload 8]

 

binary scan $pay1 IA4 len1 trn1

 

}

 

================

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 18, 2012
    not sure if mblb profile is helpful.

    this is my testing. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   profiles {
      mblb {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}

 normal traffic i.e. curl -I http://172.28.19.79

[root@ve10:Active] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
05:45:12.106760 IP 172.28.19.251.41004 > 172.28.19.79.80: S 425780967:425780967(0) win 5840 
05:45:12.106791 IP 172.28.19.79.80 > 172.28.19.251.41004: S 4020758279:4020758279(0) ack 425780968 win 4380 
05:45:12.107662 IP 172.28.19.251.41004 > 172.28.19.79.80: . ack 1 win 46 
05:45:12.107681 IP 172.28.19.251.41004 > 172.28.19.79.80: P 1:156(155) ack 1 win 46 
05:45:12.107735 IP 200.200.200.10.41004 > 200.200.200.101.80: S 1387963131:1387963131(0) win 4380 
05:45:12.108692 IP 200.200.200.101.80 > 200.200.200.10.41004: S 434734169:434734169(0) ack 1387963132 win 5792 
05:45:12.108702 IP 200.200.200.10.41004 > 200.200.200.101.80: . ack 1 win 4380 
05:45:12.108708 IP 200.200.200.10.41004 > 200.200.200.101.80: P 1:156(155) ack 1 win 4380 
05:45:12.109599 IP 200.200.200.101.80 > 200.200.200.10.41004: . ack 156 win 54 
05:45:12.110836 IP 200.200.200.101.80 > 200.200.200.10.41004: P 1:280(279) ack 156 win 54 
05:45:12.110850 IP 172.28.19.79.80 > 172.28.19.251.41004: P 1:280(279) ack 156 win 4535 
05:45:12.111745 IP 172.28.19.251.41004 > 172.28.19.79.80: . ack 280 win 54 
05:45:12.112685 IP 172.28.19.251.41004 > 172.28.19.79.80: F 156:156(0) ack 280 win 54 
05:45:12.112713 IP 172.28.19.79.80 > 172.28.19.251.41004: . ack 157 win 4535 
05:45:12.112717 IP 200.200.200.10.41004 > 200.200.200.101.80: F 156:156(0) ack 280 win 4659 
05:45:12.113715 IP 200.200.200.101.80 > 200.200.200.10.41004: F 280:280(0) ack 157 win 54 
05:45:12.113727 IP 200.200.200.10.41004 > 200.200.200.101.80: . ack 281 win 4659 

 fin packet i.e. telnet 172.28.19.79 80 and then quit (^] and quit)

[root@ve10:Active] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
05:45:39.709785 IP 172.28.19.251.41005 > 172.28.19.79.80: S 2174834412:2174834412(0) win 5840 
05:45:39.709850 IP 172.28.19.79.80 > 172.28.19.251.41005: S 1431148460:1431148460(0) ack 2174834413 win 4380 
05:45:39.710797 IP 172.28.19.251.41005 > 172.28.19.79.80: . ack 1 win 46 
05:45:41.408859 IP 172.28.19.251.41005 > 172.28.19.79.80: F 1:1(0) ack 1 win 46 
05:45:41.408890 IP 172.28.19.79.80 > 172.28.19.251.41005: . ack 2 win 4380