Forum Discussion
Nimbostratusproblem syn/ack to client Instead of RST
I have a one problem.
Despite my vserver this down, my client sends the SYN packet to connect to the VIP, f5 responds with a SYN / ACK, the client sends ACK y the F5 responds with a RST. This behavior is not valid for my because I need that after SYN client the f5 it answered with a RST.
Thanks
5 Replies
hoolioCirrostratus
If you're using a virtual server with a TCP profile, the BIG-IP will always answer SYNs with a SYN ACK. I don't know of any way to work around this.
Aaron
James_ThomsonEmployee
You would need to write an iRule that did that. Something like this:
when LB_FAILED {
if { [LB::server addr] eq "" } {
reject
}
}
The reason this is not done by default is because there are many different scenarios where, just because the servers are down, doesn't mean you want to send a RST. You might want BIG-IP to do a redirect or do an iRule based on information coming in.- hoolioI think the poster was trying to configure the BIG-IP to send a RST to the initial client SYN if all pool members were down. With BIG-IP acting as a full TCP proxy, I don't think you can. As you say, a RST back after the initial TCP handshake is complete might be the closest option.
Aaron 
DeVon_JarvisAltostratus
We are having an issue with this as well. We route Tibco EMS through 2 VIP's to allow us to update EMS servers without effecting client configurations (as each client knows the DNS names of the two EMS hosts). We also terminate the SSL connection on the LTM using our PKI signed certificate. To do this we had to change from Performance L4 type, to Standard type. This causes the SYN, SYN-ACK, ACK, RST behavior when the EMS server is down (pool is unavailable). The Tibco EMS client is expecting SYN, RST, and when it doesn't follow that path, the Agent thinks the server is up, but can't talk to it. It then fails to try the secondary server. I am thinking this is a Tibco Client bug, but it would be nice to address this on the LTM.
We could go back to Performance L4 and move the certificate and prvate key to the EMS servers. This seems to be my best option at the moment.
Ideas?
DeVon
- nitassare you using irule? if not, can you try verified accept setting under tcp profile?
[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:443 ip protocol 6 profiles { clientssl { clientside } http {} mytcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b profile mytcp list profile tcp mytcp { defaults from tcp verified accept enable } [root@ve10:Active] config tcpdump -nni 0.0 -s0 port 443 or port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:46:02.057096 IP 172.28.19.251.34969 > 172.28.19.252.443: S 1618116666:1618116666(0) win 5840 in slot1/tmm0 lis= 17:46:02.057204 IP 200.200.200.10.34969 > 200.200.200.101.80: S 1873592754:1873592754(0) win 4380 out slot1/tmm0 lis=bar 17:46:02.058188 IP 200.200.200.101.80 > 200.200.200.10.34969: R 0:0(0) ack 1873592755 win 0 in slot1/tmm0 lis=bar 17:46:02.058208 IP 172.28.19.252.443 > 172.28.19.251.34969: R 3667334011:3667334011(0) ack 1618116667 win 4380 out slot1/tmm0 lis=bar
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
