For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_Grigsby's avatar
Richard_Grigsby
Icon for Nimbostratus rankNimbostratus
Jul 31, 2015

Idle TCP Timeout of non-vs handled traffic, F5(10.2.3)

Traffic originating from host behind F5 (10.2.3), F5 is the default gateway, with long idle times, are being timed out at 300 seconds.

 

Changing the idle timeout at "Local Traffic ›› Profiles : Protocol : TCP ›› tcp" does not effect no vs handled traffic.

 

Where do I change the global isle TCP timeout value for non-vs handled traffic?

 

application delivery
deployment
LTM
performance
TMSH

6 Replies

    • Richard_Grigsby's avatar
      Richard_Grigsby
      Icon for Nimbostratus rankNimbostratus
      Jul 31, 2015
      this is a server segment behind the F5. 10.64.7.0/24. The Self IP of the F5 is 10.64.7.1. The Application server initiating the connection out to a host on the other side of the F5 is 10.64.7.174. Source : 10.64.7.174 Destination: 10.250.96.24 TCP/1521 Network 10.250.96.0/24 is a firewalled database segment. Firewall timeouts are as follows: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Conn is 60 mins (3600 sec), half-closed is 10 min (600 sec). The idle connection is timing out at 300 seconds. That is why I am looking at the F5 idle timeouts. This
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2015

    Don't you have a forwarding virtual server in place for the gateway?

     

    • Richard_Grigsby's avatar
      Richard_Grigsby
      Icon for Nimbostratus rankNimbostratus
      Jul 31, 2015
      this is a server segment behind the F5. 10.64.7.0/24. The Self IP of the F5 is 10.64.7.1. The Application server initiating the connection out to a host on the other side of the F5 is 10.64.7.174. Source : 10.64.7.174 Destination: 10.250.96.24 TCP/1521 Network 10.250.96.0/24 is a firewalled database segment. Firewall timeouts are as follows: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Conn is 60 mins (3600 sec), half-closed is 10 min (600 sec). The idle connection is timing out at 300 seconds. That is why I am looking at the F5 idle timeouts. This
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 31, 2015

    I ask the same question as kunjan... Don't you have a forwarding virtual server in place for the gateway?

     

    if you use a forwarding virtual server, the profile you must change is the fastl4 profile (or create a new one and change timeout value)

     

  • Richard_Grigsby's avatar
    Richard_Grigsby
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2015

    Thank You for your response. I found the Global IP forwarding vs. I did not want to change the global foward-all so I created a new forwarding vs to match just the destination subnet, tcp/1521, and source subnet with an increase idle timeout setting. We will have to monitor to see if it works for us.