Forum Discussion

LillyM_9417's avatar
LillyM_9417
Icon for Altostratus rankAltostratus
Jul 18, 2012

FIN packet

Hello,

 

 

We are using this irule to send the client request (who is ready to send its data) to servers.

 

This irule does not help us to block the following situation.

 

- when a client complete 3-way handshake but does not send any data then send FIN packet.

 

In that time, something happen like this, "F5 assumes that the last FIN packet is a data and forward this client request to the server"

 

How can we prevent from this problem?

 

 

===========

 

when CLIENT_ACCEPTED {

 

TCP::collect 8

 

}

 

 

when CLIENT_DATA {

 

set pay1 [TCP::payload 8]

 

binary scan $pay1 IA4 len1 trn1

 

}

 

================

 

1 Reply

  • not sure if mblb profile is helpful.

    this is my testing.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       profiles {
          mblb {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    
     normal traffic i.e. curl -I http://172.28.19.79
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    05:45:12.106760 IP 172.28.19.251.41004 > 172.28.19.79.80: S 425780967:425780967(0) win 5840 
    05:45:12.106791 IP 172.28.19.79.80 > 172.28.19.251.41004: S 4020758279:4020758279(0) ack 425780968 win 4380 
    05:45:12.107662 IP 172.28.19.251.41004 > 172.28.19.79.80: . ack 1 win 46 
    05:45:12.107681 IP 172.28.19.251.41004 > 172.28.19.79.80: P 1:156(155) ack 1 win 46 
    05:45:12.107735 IP 200.200.200.10.41004 > 200.200.200.101.80: S 1387963131:1387963131(0) win 4380 
    05:45:12.108692 IP 200.200.200.101.80 > 200.200.200.10.41004: S 434734169:434734169(0) ack 1387963132 win 5792 
    05:45:12.108702 IP 200.200.200.10.41004 > 200.200.200.101.80: . ack 1 win 4380 
    05:45:12.108708 IP 200.200.200.10.41004 > 200.200.200.101.80: P 1:156(155) ack 1 win 4380 
    05:45:12.109599 IP 200.200.200.101.80 > 200.200.200.10.41004: . ack 156 win 54 
    05:45:12.110836 IP 200.200.200.101.80 > 200.200.200.10.41004: P 1:280(279) ack 156 win 54 
    05:45:12.110850 IP 172.28.19.79.80 > 172.28.19.251.41004: P 1:280(279) ack 156 win 4535 
    05:45:12.111745 IP 172.28.19.251.41004 > 172.28.19.79.80: . ack 280 win 54 
    05:45:12.112685 IP 172.28.19.251.41004 > 172.28.19.79.80: F 156:156(0) ack 280 win 54 
    05:45:12.112713 IP 172.28.19.79.80 > 172.28.19.251.41004: . ack 157 win 4535 
    05:45:12.112717 IP 200.200.200.10.41004 > 200.200.200.101.80: F 156:156(0) ack 280 win 4659 
    05:45:12.113715 IP 200.200.200.101.80 > 200.200.200.10.41004: F 280:280(0) ack 157 win 54 
    05:45:12.113727 IP 200.200.200.10.41004 > 200.200.200.101.80: . ack 281 win 4659 
    
     fin packet i.e. telnet 172.28.19.79 80 and then quit (^] and quit)
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    05:45:39.709785 IP 172.28.19.251.41005 > 172.28.19.79.80: S 2174834412:2174834412(0) win 5840 
    05:45:39.709850 IP 172.28.19.79.80 > 172.28.19.251.41005: S 1431148460:1431148460(0) ack 2174834413 win 4380 
    05:45:39.710797 IP 172.28.19.251.41005 > 172.28.19.79.80: . ack 1 win 46 
    05:45:41.408859 IP 172.28.19.251.41005 > 172.28.19.79.80: F 1:1(0) ack 1 win 46 
    05:45:41.408890 IP 172.28.19.79.80 > 172.28.19.251.41005: . ack 2 win 4380