Health check failing - tcp/54321 - is this more than a coincidence?

That is because the Windows server sends a "win=0" back. We had this problem as well in the past, and Microsoft Support regarded this as "normal"!

I don't remember how we got out of this, but it was in the early days of BIG-IP v11.2.0, and there were many engineering hostfixes we had to apply during that time. We are now on v11.3.0 with one of the latest hf applied and I don't see this problem anymore. But I can't say BIG-IP was the problem.

FYI, F5 came back and said that the tcp/54321 issue is a known bug with their product (although good luck finding any information on it). You basically need to configure the F5 to not use 54321 to health check (or any other reason). We were getting tons of health check errors and after we disabled 54321 AND (more importantly) disabled TSO ALL of our problems vanished and the end users are much happier. If you're not familiar with TSO (TCP segmentation offloading) get up to speed on it and turn it off.

Here's what F5 support told our admin to do for the tcp/54321 issue. Since I do not know for which version this was applied, I would suggest that you contact F5 support if you're having this issue. The workaround could be different for your version.

"Here are the steps to work around this issue:

1. Run the following commands to update your current iptables rules:

--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__

1. Run the following commands to add the iptables rules to /config/startup. This will ensure that these iptables rules persist upon reboot and upgrades:

For the record, this affects all versions of:

*v11.5.0*
*v11.5.1*
and most likely *v11.6.0* when it is released.

1. Run the following commands to update your current iptables rules:

    /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable

    /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

    /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

1. Run the following commands to add the iptables rules to /config/startup. This will ensure that these iptables rules persist upon reboot and upgrades:

    echo "/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable" >> /config/startup

    echo "/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startup

    echo "/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startup

The synopsis of this bug is that there is an iptables rule that was implemented to secure a Websense vulnerability.

In the process, the iptables rule was created in a rule that would block ALL Traffic to ALL Interfaces of a BIG-IP device.

This means that all traffic sourced from the BIG-IP with an ephemeral port of :54321 will be RST when the peer device sends it's SYN,ACK (as you see above in DSS Gateway's post)

I highly recommend that anybody running v11.5+ perform the above steps to ensure your system is not incorrectly blocking traffic that has been sourced by the BIG-IP with an ephemeral port of 54321.

For the record, this affects all versions of:

*v11.5.0*
*v11.5.1*
and most likely *v11.6.0* when it is released.

1. Run the following commands to update your current iptables rules:

    /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable

    /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

    /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset

1. Run the following commands to add the iptables rules to /config/startup. This will ensure that these iptables rules persist upon reboot and upgrades:

    echo "/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable" >> /config/startup

    echo "/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startup

    echo "/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startup

The synopsis of this bug is that there is an iptables rule that was implemented to secure a Websense vulnerability.

In the process, the iptables rule was created in a rule that would block ALL Traffic to ALL Interfaces of a BIG-IP device.

This means that all traffic sourced from the BIG-IP with an ephemeral port of :54321 will be RST when the peer device sends it's SYN,ACK (as you see above in DSS Gateway's post)

I highly recommend that anybody running v11.5+ perform the above steps to ensure your system is not incorrectly blocking traffic that has been sourced by the BIG-IP with an ephemeral port of 54321.

Documented in 11.6 APM release notes and apparently still an issue - ID 455284 -

http://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html