For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Apr 04, 2016

irule to delete the stale connections.

Hi All,

I'm looking for a irule that can check the status of connections on the VIP and remove any stale connections. The reason I want this is that, I'm told there is a bug in F5 LTM versions 11.6.0 for SVN checkout VIPs (high volume downloads), F5 support suggests to upgrade to 12.0, but I don't want to upgrade as it has lot other dependencies.

Issue: When I do a SVN checkout using a url or VIP configured on F5, the download happens but the connections are not getting closed after the completion of the activity. The connection count keeps on increasing every time I do this.

We have tried multiple with options on TCP profiles to assuming that they can influence the connection closing, but nothing helped.

    ***connections at the PC end *** 

C:\Users\Administrator>netstat -no

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    10.65.69.221:3389     10.224.222.55:52970    ESTABLISHED     536
  TCP    10.65.69.221:51380    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51384    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51388    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51391    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51392    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51401    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51408    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51413    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51416    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51420    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51424    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51425    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51429    10.12.2.240:443        LAST_ACK        1380
  TCP    10.65.69.221:51431    10.12.2.240:443        LAST_ACK        1380



root@(ushoutestf5l3)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys connection cs-client-addr 10.65.69.221
Sys::Connections
10.65.69.221:51425  10.12.2.240:443  192.168.200.254:9317  192.168.200.217:443  tcp  34  (tmm: 2)  none
10.65.69.221:51416  10.12.2.240:443  192.168.200.254:35803  192.168.200.217:443  tcp  31  (tmm: 1)  none
10.65.69.221:51388  10.12.2.240:443  192.168.200.254:49179  192.168.200.217:443  tcp  1   (tmm: 1)  none
10.65.69.221:51380  10.12.2.240:443  192.168.200.254:33243  192.168.200.217:443  tcp  53  (tmm: 0)  none
10.65.69.221:51424  10.12.2.240:443  192.168.200.254:36375  192.168.200.217:443  tcp  8  (tmm: 3)  none
10.65.69.221:51413  10.12.2.240:443  192.168.200.254:46974  192.168.200.217:443  tcp  46  (tmm: 2)  none
10.65.69.221:51431  10.12.2.240:443  192.168.200.254:22151  192.168.200.217:443  tcp  48  (tmm: 3)  none
10.65.69.221:51420  10.12.2.240:443  192.168.200.254:31305  192.168.200.217:443  tcp  42  (tmm: 2)  none
10.65.69.221:51384  10.12.2.240:443  192.168.200.254:44967  192.168.200.217:443  tcp  8   (tmm: 2)  none
10.65.69.221:51401  10.12.2.240:443  192.168.200.254:10979  192.168.200.217:443  tcp  29  (tmm: 2)  none
10.65.69.221:51392  10.12.2.240:443  192.168.200.254:32407  192.168.200.217:443  tcp  10  (tmm: 2)  none
10.65.69.221:51429  10.12.2.240:443  192.168.200.254:18646  192.168.200.217:443  tcp  24  (tmm: 1)  none
10.65.69.221:51391  10.12.2.240:443  192.168.200.254:61170  192.168.200.217:443  tcp  53  (tmm: 2)  none
10.65.69.221:51408  10.12.2.240:443  192.168.200.254:46607  192.168.200.217:443  tcp  56  (tmm: 0)  none
Total records returned: 14

Please let me know if there is any irule that I can use to delete these stale connections or let me know if I change anything on the F5 to simulate the connection closure for this VIP.

thanks

application delivery
iRules
LTM

3 Replies

  • newf5learner's avatar
    newf5learner
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2016

    Please find the custom tcp profile I have used. 

    ltm profile tcp meshsrc_git_test {
    app-service none
    defaults-from tcp
    ecn enabled
    max-retrans 12
    slow-start disabled
}

    I have tried by enabling few features on the profile, but that didn't help. I have even used the i-app to create a VIP for this which added the customized Protocol profiles (Client & Server) whose configurations were default WAN/ LAN tcp optimised settings were enabled. 

      meshsrc_git_test_tcp-lan-optimized
        app-service meshsrc_test
        defaults-from tcp-lan-optimized
        init-cwnd 16
        init-rwnd 16
        slow-start enabled

meshsrc_test_tcp-wan-optimized {
    app-service meshsrc_test
    defaults-from tcp
    nagle enabled
    proxy-buffer-high 131072
    proxy-buffer-low 131072
    receive-window-size 65535
    selective-acks enabled
    send-buffer-size 65535

    Please let me know if I have to make any specific changes.

    thanks.