For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wtwagon_99154's avatar
wtwagon_99154
Icon for Nimbostratus rankNimbostratus
Feb 10, 2010

Health Check Issues

The Scenario:     We are performing some load testing of an application and are using a health check as follows:     GET /blah/blah.asmx HTTP/1.1\r\nUser-Agent:Mozilla\r\nhost:bl...
management
monitoring
Jan_Renard's avatar
Jan_Renard
Icon for Nimbostratus rankNimbostratus
May 16, 2012
Sorry for the long wait.

 

 

In our case it was a configuration issue. The health checks were running from the same IP as the actual traffic for the virtual server. In some cases the health check would re-use a recently used TCP source port for the health check. Our firewall considered this as a late packet for a recently closed flow and dropped the packet.

 

 

The issue was caused by a faulty interface configuration. In an active passive setup, you shouldn't use unit ID in the floating IP configuration. This causes the F5 to use the interface ip for both the health checks and virtual server traffic (we are using SNAT). Normally the virtual server traffic should SNAT behind the floating IP. After opening a ticket at F5 we changed the config and now the health checks are running from the interface IP, separte from the viritual server which is natting behind the floating ip.

 

 

Since then the conflicting tcp port issue on our firewall has been resolved.

 

 

I know my explanation is a bit blurry but it's been 3 years ago and due to technical issue I cannot restore my old PST files to dig up the actual F5 case emails.

 

 

Jan