Forum Discussion
PPawar_309940
Nimbostratus
NimbostratusiRULE: forwarding virtual for sql ports
Hi Guys,
We have been reported about several issues from our clients getting 504 gateway time out error since we have migrated the services from ACE to F5.
Anything to the VS is fine, but I believe its something to do with forwarding virtual servers.
We have already disabled Reset on Timeout and enabled loose initiation on fastl4 profile but things are still not better.
So I thought to increase the TCP idle timeout using iRULE, since I have different ports so I decided to make use of iRULE which looks like this
when CLIENT_ACCEPTED { if { ([TCP::local_port] >= 5437 && ([TCP::local_port] <= 5439)) || ([TCP::local_port] == 1521 ) || ([TCP::local_port] == 1529) } { TCP::idletime 4294967295 } }
Now when I am trying to apply this to forwarding VS, it complains that VS needs a TCP profile and there is no tcp profile as I am using fastl4. So please can someone through some light and help me out how can I get round this.
uzairPleas paste the virtual server configuration.
Dave_McCauley_3Cirrostratus
If you have loose init and reset on timeout enabled the timeout shouldn’t matter. It will add the connection to the session tables regardless of it existing or not and won’t send a reset, so it’s basically acting as a router. What’s the rest of the app look like or what’s going on when you get the timeout? Maybe an asynchronous routing issue with the change in environments, etc? Can you reproduce it and watch a trace of the traffic on that VLAN to validate your thoughts that it’s the forwarding VIP?
Regarding your actual question though, it’s just a function of what’s available in the processing of the virtual. If TCP is only available with a certain profile, and the virtual type you have doesn’t support that profile, it means you don’t have access to those variables or commands. The performance virtuals have a lot disabled so that TMM can quickly forward the packets without a lot of CPU hit or entirely in hardware if the platform supports it. There isn’t really a workaround other than choosing a different type of virtual server, which probably isn’t possible in this case.
PPawar_309940Here is the config
ltm virtual /Common/forwarding_virtual { destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/forwarding_fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled
and Profile ltm profile fastl4 /Common/forwarding_fastL4 { app-service none defaults-from /Common/fastL4 loose-initialization enabled reset-on-timeout disabled- PPawar_309940
Thanks Dave,
I am sure there is no assym routing. The similar setup was working fine through ACE where we had set the idle timeout to indefinite for these sql ports.
But as soon as we diverted the traffic through F5, client started to see the error which I believe is because of F5. Even with all these settings where loose init is enable and rst on timeout disabled F5 not going to silently drop the traffic for any idle connection which stays longer than default of 5mins on F5 ?
So you are saying iRULE is not possible here, what do you think if I increase the TCP timeout on fastl4 profile from 300s to some high value, would that impact F5 performance ?
- uzair
Virtual server protocol is configured as All protocols. So this iRule is giving the appropriate error.
In virtual server' Protocol setting change All to tcp and then apply the same iRule. Make sure your F5 software version is >=11.6 as TCP::idletime is introduced in 11.6
If you need to create UDP forwarding vs also, you can create the same virtual server with protocol as udp.
After modifying the protocol VS configuration will look like this
ltm virtual forwarding_virtual { destination 0.0.0.0:any ip-forward ip-protocol tcp mask any profiles { forwarding_fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled- PPawar_309940
I dont think that it does matter if I use protocol as tcp/udp or any. I wont be able to apply iRULE as it requires a tcp profile and when we create forwarding VS then it uses fastl4 profile.
I can create forwarding virtual for single port like below and change the tcp timeout vlaue to indefinite. But problem is I have multiple range of ports and I dont want to create that many forwarding VS.
0.0.0.0/0:1521
- PPawar_309940
Guys,
Anyone has got any other brilliant idea, or some of you still think that this is not required at all.
But I am sure after we migrated to F5 the users sessions are more sporadically timing out which I think because of tcp idle time.Pressure is building on us we don't want to fail back to ACE which is not at all desirable.
uzair_95552Altocumulus
Virtual server protocol is configured as All protocols. So this iRule is giving the appropriate error.
In virtual server' Protocol setting change All to tcp and then apply the same iRule. Make sure your F5 software version is >=11.6 as TCP::idletime is introduced in 11.6
If you need to create UDP forwarding vs also, you can create the same virtual server with protocol as udp.
After modifying the protocol VS configuration will look like this
ltm virtual forwarding_virtual { destination 0.0.0.0:any ip-forward ip-protocol tcp mask any profiles { forwarding_fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled- PPawar_309940
I dont think that it does matter if I use protocol as tcp/udp or any. I wont be able to apply iRULE as it requires a tcp profile and when we create forwarding VS then it uses fastl4 profile.
I can create forwarding virtual for single port like below and change the tcp timeout vlaue to indefinite. But problem is I have multiple range of ports and I dont want to create that many forwarding VS.
0.0.0.0/0:1521
- PPawar_309940
Guys,
Anyone has got any other brilliant idea, or some of you still think that this is not required at all.
But I am sure after we migrated to F5 the users sessions are more sporadically timing out which I think because of tcp idle time.Pressure is building on us we don't want to fail back to ACE which is not at all desirable.