problem syn/ack to client Instead of RST

If you're using a virtual server with a TCP profile, the BIG-IP will always answer SYNs with a SYN ACK. I don't know of any way to work around this.

 

 

Aaron

You would need to write an iRule that did that. Something like this:

 

 

when LB_FAILED {

 

if { [LB::server addr] eq "" } {

 

reject

 

}

 

}

 

 

The reason this is not done by default is because there are many different scenarios where, just because the servers are down, doesn't mean you want to send a RST. You might want BIG-IP to do a redirect or do an iRule based on information coming in.

I think the poster was trying to configure the BIG-IP to send a RST to the initial client SYN if all pool members were down. With BIG-IP acting as a full TCP proxy, I don't think you can. As you say, a RST back after the initial TCP handshake is complete might be the closest option.

 

 

Aaron

We are having an issue with this as well. We route Tibco EMS through 2 VIP's to allow us to update EMS servers without effecting client configurations (as each client knows the DNS names of the two EMS hosts). We also terminate the SSL connection on the LTM using our PKI signed certificate. To do this we had to change from Performance L4 type, to Standard type. This causes the SYN, SYN-ACK, ACK, RST behavior when the EMS server is down (pool is unavailable). The Tibco EMS client is expecting SYN, RST, and when it doesn't follow that path, the Agent thinks the server is up, but can't talk to it. It then fails to try the secondary server. I am thinking this is a Tibco Client bug, but it would be nice to address this on the LTM.

 

 

We could go back to Performance L4 and move the certificate and prvate key to the EMS servers. This seems to be my best option at the moment.

 

Ideas?

 

 

DeVon

 

 

are you using irule? if not, can you try verified accept setting under tcp profile?

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   profiles {
      clientssl {
         clientside
      }
      http {}
      mytcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b profile mytcp list
profile tcp mytcp {
   defaults from tcp
   verified accept enable
}

[root@ve10:Active] config  tcpdump -nni 0.0 -s0 port 443 or port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:46:02.057096 IP 172.28.19.251.34969 > 172.28.19.252.443: S 1618116666:1618116666(0) win 5840  in slot1/tmm0 lis=
17:46:02.057204 IP 200.200.200.10.34969 > 200.200.200.101.80: S 1873592754:1873592754(0) win 4380  out slot1/tmm0 lis=bar
17:46:02.058188 IP 200.200.200.101.80 > 200.200.200.10.34969: R 0:0(0) ack 1873592755 win 0 in slot1/tmm0 lis=bar
17:46:02.058208 IP 172.28.19.252.443 > 172.28.19.251.34969: R 3667334011:3667334011(0) ack 1618116667 win 4380 out slot1/tmm0 lis=bar