For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MAbbas's avatar
MAbbas
Icon for Cirrus rankCirrus
Feb 05, 2022

Grpc Keepalive and F5 full proxy

Hi - my F5 is running v16.1 - and is a full gRPC proxy - the problem i am having i s

clinet sends gRPC ping to keep session open - to the F5 .but F5 cannot keep the session alive as there is no traffic that goes to the server - because -F5 being a proxy responds to teh ping .

How can i keep the server side connection open - other than increasing the the timeout.

thanks  

 

application delivery

4 Replies

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Feb 05, 2022

    Hello you mean HTTP/2? If so because this is new thing that F5 support better check with the TAC if there is new bug:

    https://support.f5.com/csp/article/K61517014

    https://support.f5.com/csp/article/K47440400

    https://support.f5.com/csp/article/K04412053

     

    Also maybe test if the servers can also send keep-alives as it seems that the client keep alive is not forwarded to the servers by the F5 device because of a bug or on purpose and maybe test if removing the web compression or web acceleration profiles (web cache) as there are some known bugs with those profiles and HTTP/2.

     

    https://cdn.f5.com/product/bugtracker/ID714372.html

     

    Also you may test enabling the TCP keep alives under the TCP profiles:

     

    https://support.f5.com/csp/article/K8049

    https://support.f5.com/csp/article/K13004262

    • MAbbas's avatar
      MAbbas
      Icon for Cirrus rankCirrus
      Feb 06, 2022

      thanks for the reply . F5 is working fine as a gRPC -http2 proxy .

      the problem i have is - client sends GRPC pings - that teh F5 responds being a proxy - hence no traffic goes to the backend server . hence the question - i sthere a way to send those pings to the backend server - other than keeping the socket open with a timeout value on teh server side.

      thanks

       

       

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Feb 11, 2022

    Hi MAbbas 

    I also did a bit of reading on this subject, this is my opinion:
    When proxying the HTTP/2 protocol, the same connection to a pool member can be used for multiple requests coming from multiple clients at the same time.
    Very much similiar to OneConnect in HTTP/1.1. Sending pings from a pariticular client over a reverse proxy would be somewhat inconsistent with whole idea of multiplexing.

    From my understanding gRPC keepalive is ment for peer-to-peer but not for proxied connections. If there is a requirement that clients keep a connection with the backend, TCP keepalive might be an option.
    Or extending the the TCP timeout value.

    KR
    Daniel