For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

andy_12_5042's avatar
andy_12_5042
Icon for Nimbostratus rankNimbostratus
Mar 17, 2014

LTM Drops TCP Retransmit packets

I cant seem to isolate why the F5 will not send the TCP Retransmit packets back the application servers. I observe the same behavior on several of our F5's on old Software (9.25 , yeah insane!) So in testing I can create a self originated connection from an application server that is behind the F5 via curl.

 

  • The behavior is always the same and looks like this:
  • the sender begins to send data to my application server
  • at some point there is a packet that does not reach my application server.
  • This spawns the application server (receiver) to start sending dup acks (selective ACKS are True)
  • the sender will send TCP Retransmit packets which I can see going into the F5 but never make it out (or back to the receiver)
  • Eventually the application layer times out the connection and aborts (RST) when we reach the point that the sender cant send any further data without getting an ACK for the retransmit.

I cant figure out why this is occurring as there is no further visibility into the stack in the F5. Also these packets do not fit any of the criteria for drops at either the switch processor or TMM based on what I have read. Anybody have any clue as to what this could possibly be or I am I at the "yeah time to call f5 support". (which of course I cant do with this archaic software version)

 

FWIW, I do not see this same behavior on newer software.

 

application delivery
LTM
performance

4 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 17, 2014

    If you don't see this behavior with newer software, then why aren't you using newer software? :)

     

    Could be a bug you are running into. But with code that old, there's really not much of a way of determining that.

     

    • andy_12_5042's avatar
      andy_12_5042
      Icon for Nimbostratus rankNimbostratus
      Mar 17, 2014
      I am working in a place that thinks support contracts are optional :) I suspect I am out of luck here as there is nothing else I can do to debug further ...
  • andy_12_5042's avatar
    andy_12_5042
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2014

    This was kind of futile to ask the question with software this old :). The only way I could get any further is to understand what the F5 internal software is doing when these packets arrive and try to see some kind of error. Essentially debugging at a layer in which I will never get to here.

     

    In reality, nobody would care about a bug on this software as it is no longer supported anyway.. Soooo, I suppose I will accept defeat on this one and leave alone. Time to go work for a company that believes in support contracts and recent software versions on critical platform appliances!!!!

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Mar 18, 2014
      Sorry we can't be of more help. At least with a newer version (v10 or v11), someone here could mock it up and test it out for you.