Forwarding TCP RST on VS with loose-init?

Question

OK. I think there's a change between 11.2.1 and 11.4.1 on forwarding of tcp resets for connections NOT in the connection table across a network VS...&nbsp;
Unfortunately, I don't have an 11.2.1 box handy to verify... But have discovered (After users reported issues following an upgrade from 11.2.1HF6 to 11.4.1HF2) that if a TCP connection is NOT in the connection table but the VS being uised has loose-init enabled, then the RST WILL NOT be forwarded to the destination.
Any other packet will hit the loose-init and be forwarded, causing the connection table entry to be added once more. But if the connection goes idle, and the remote end RESETS the tcp connection without a FIN/FIN-ACK/ACK sequence (Which appears to be the method for closing an idle connection to Win2008 LDAP) then the client never gets the reset... And so is left with a hanging tcp connection...&nbsp;
Anyone else seen this? And does anyone know if this was the same behaviour in 11.2.1HF6? &nbsp;
H&nbsp;

nitass · Answer

i do not have 11.2.1 and 11.4.1 but it seems it (reset) is forwarded in 10.2.4 but 11.5.0.
this is 10.2.4.
root@ve10(Active)(tmos) show sys version|grep -A 6 Main\ Package
Main Package
  Product  BIG-IP
  Version  10.2.4
  Build    817.0
  Edition  Hotfix HF7
  Date     Mon May 20 15:08:56 PDT 2013

root@ve10(Active)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:any
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    snat automap
    translate-address disabled
    translate-port disabled
}
root@ve10(Active)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    loose-initialization enabled
    reset-on-timeout disabled
}

root@ve10(Active)(tmos) show sys connection cs-server-port 80
Sys::Connections
Total records returned: 0

[root@ve10:Active] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:03:59.752471 IP 200.200.200.101.1579 &gt; 172.28.24.1.80: R 903943335:903943335(0) win 512 in slot1/tmm0 lis=
23:03:59.752550 IP 172.28.24.15.1579 &gt; 172.28.24.1.80: R 903943335:903943335(0) win 512 out slot1/tmm0 lis=fwd

nitass · Answer

and this is 11.5.0.
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.5.0
  Build    0.0.221
  Edition  Final
  Date     Fri Jan 17 15:53:04 PST 2014

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    loose-initialization enabled
    reset-on-timeout disabled
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection cs-server-port 80
Sys::Connections
Total records returned: 0

[root@ve11a:Active:In Sync] log  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:24:32.651933 IP 200.200.200.101.2702 &gt; 172.28.24.1.80: R 218255140:218255140(0) win 512 in slot1/tmm0 lis=
07:24:33.651106 IP 200.200.200.101.2703 &gt; 172.28.24.1.80: R 2115481654:2115481654(0) win 512 in slot1/tmm1 lis=
07:24:34.653423 IP 200.200.200.101.2704 &gt; 172.28.24.1.80: R 839077725:839077725(0) win 512 in slot1/tmm0 lis=

hamish · Answer

Yeah... I wonder if it changed in 11.3 or 11.4...&nbsp;

nitass · Answer

i think 11.3.
[root@ve10:Active:Standalone] config  tmsh show sys version|grep -iA 6 main\ package
Main Package
  Product  BIG-IP
  Version  11.3.0
  Build    3144.0
  Edition  Hotfix HF8
  Date     Thu Oct  3 18:22:28 PDT 2013

[root@ve10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:52:02.019072 IP 200.200.200.101.1126 &gt; 172.28.24.1.80: R 989778309:989778309(0) win 512 in slot1/tmm0 lis=
18:52:03.020870 IP 200.200.200.101.1127 &gt; 172.28.24.1.80: R 1181986956:1181986956(0) win 512 in slot1/tmm0 lis=
18:52:04.022056 IP 200.200.200.101.1128 &gt; 172.28.24.1.80: R 692961061:692961061(0) win 512 in slot1/tmm0 lis=

Forum Discussion

Forwarding TCP RST on VS with loose-init?

4 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Bash shell and ping command on F5 rseries

Same LTM Monitor applied to different Pools with Common Nodes

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

Owa did not show support id asm

error code 503 redirect irule

Related Content

SSH forward proxy

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

Extracting X-Forwarded-For in Node.js

Lightboard Lessons: Perfect Forward Secrecy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS