For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fluzocapacitor's avatar
fluzocapacitor
Icon for Cirrus rankCirrus
Jun 17, 2024

Querying SNMP data for half-open connections on a virtual server

Hello, I’m trying to monitor the embryonic/half-open connections for a particular VS on my F5 load balancer using SNMP.  I’ve read several articles, including ‘K00560557: Using SNMP information rel...
application delivery
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Jun 18, 2024

Hi Fluzocapacitor,

 

Keeping server side connection open even after the client side connection already been closed is a KNOWN BUG which was fixed in 11.6.x

 

Known Issue

Archived - K15973: Server-side TCP connections may remain half-open if the client-side connection closes early

https://my.f5.com/manage/s/article/K15973

I dont think there are SNMP MIBs for monitoring half open connections, but you can check in Pools there is a TCP Half Open monitor that can be applied. 

The f5networks.f5_modules.bigip_monitor_tcp_half_open module can be used to manage F5 BIG-IP LTM TCP half-open monitors. This module is part of the f5networks.f5_modules collection version 1.27.1 and requires BIG-IP software version 12 or higher. Some parameters of the module include:

  • description: A string describing the monitor
  • interval: An integer that specifies how often the monitor instance will run
  • ip: An IP address that is part of the IP/port definition
  • name: The monitor name

https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_monitor_tcp_half_open_module.html

You can use the following commands to view and delete the current or active connections

K53851362: Displaying and deleting BIG-IP connection table entries from the command line

https://my.f5.com/manage/s/article/K53851362

K40033505: Explaining the output of tmsh show sys connection

https://my.f5.com/manage/s/article/K40033505

 

Examples

 

tmsh show /sys connection

 

TMSH command to list all the options & properties with the show /sys connection command

 

tmsh show /sys connection ?

 

Options:

all-properties             Display all properties for the specified items

default                      Units are determined based on current values

exa                            All values are displayed in exa-units

gig                            All values are displayed in giga-units

kil                             All values are displayed in kilo-units

meg                           All values are displayed in mega-units

peta                           All values are displayed in peta-units

raw                            No conversions are made to any values

save-to-file                 Output from the command is saved to the specified file. -

                                  This file is placed in /shared. This allows to write a file larger than 2GB.

tera                            All values are displayed in tera-units

yotta                          All values are displayed in yotta-units

zetta                          All values are displayed in zetta-units

|                                Route command output to a filter

 

Properties:

"{"                           Optional delimiter

age                           Specifies the age, in seconds, of a connection

cs-client-addr            Specifies the clientside remote address of the active connections

cs-client-port            Specifies the clientside remote port of the active connections

cs-server-addr          Specifies the clientside local address of the active connections

cs-server-port           Specifies the clientside local port of the active connections

protocol                   Specifies the protocol used for specified connections (for example: tcp, udp)

ss-client-addr           Specifies the serverside local address of the active connections

ss-client-port            Specifies the serverside local port of the active connections

ss-server-addr          Specifies the serverside remote address of the active connections

ss-server-port          Specifies the serverside remote port of the active connections

 

 

Using my example output line above we will label each part of the output:

 

Client Side

172.10.50.20:30322                       10.10.10.1:443   

cs-client-addr:cs-client-port             cs-server-addr:cs-server-port

 

Server Side

192.168.1.1:30322                         192.40.200.20:30322   

ss-client-addr:ss-client-port             ss-server-addr:ss-server-port

 

The protocol used, the age of the connection, and which traffic management microkernel was used

tcp               14        (tmm: 6)  none

protocol       age      tmm used

 

 

How to delete a connection from the F5 BIG-IP connection table?

To delete active connections in the BIG-IP connection table you can key on any of the property value(s). For example, if I wanted to delete all connections a user was initiating to the BIG-IP you would specify the users IP as the client side client address like this:

 

 

TMSH command to delete all connections initiated from a specific client IP

 

tmsh delete /sys connection cs-client-addr  172.10.50.20

 

 

 

TMSH command to delete ALL connections in a F5 BIG-IP  - Careful, you're going to kill EVERY session.

tmsh delete /sys connection

 

Make sure you check out the “all-properties” option, it has a load of great information, including how many bits the connection has pushed, and its’ age & idle-timeout. Lets take a look at the output:

 

 

TMSH command to show all details about a particular conneciton, including how much traffic, bits in and out, a connection has used 

 

tmsh show /sys connection cs-client-addr 172-10.50.20 all-properties

 

172.10.50.20:30322 - 10.10.10.1:443 - 172.10.50.20:30322 - 192.40.200.20:443

----------------------------------------------------------------------------

  TMM            6

  Type              self

  Acceleration   none

  Protocol         tcp

  Idle Time       9

  Idle Timeout  300

  Unit ID          0

  Lasthop         /Common/internal 00:0d:3a:3a:25:20

  Virtual Path   10.10.10.1:443

  Conn Id 0

                               ClientSide           ServerSide

  Client Addr  172.10.50.20:30322    172.10.50.20:30322

  Server Addr      10.10.10.1:443     192.40.200.20:443

  Bits In                    3.0K                1.3K

  Bits Out                  1.3K               3.0K

  Packets In                   4                  3

  Packets Out                 3                  4

 

HTH
✌️

 

  • fluzocapacitor's avatar
    fluzocapacitor
    Icon for Cirrus rankCirrus
    Jun 18, 2024

    Hi,

    Thank you for the detailed information and the helpful links.

    It’s good to know about the known bug and its fix in version 11.6.x. However, I am not affected by bug K15973 as I am running version 15.1.10.

    I appreciate the suggestion to use the TCP Half Open monitor. I understand that this monitor would help in monitoring the connections between the virtual server and the pool nodes. However, my main interest is in monitoring the connections between the clients and the virtual server. A SYN flood attack would cause issues on the load balancer itself, not on the backend nodes.

    I also appreciate the commands to view and delete active connections.  I have used the following command to check the number of connections:

    show /sys connection cs-server-addr 10.1.50.200%1

Sys::Connections
10.1.34.120%1:51080   10.1.50.200%1:80  10.1.34.120%1:51080   10.2.75.150%1:80  tcp  16   (tmm: 0)  server-side(none)       none
10.1.58.99%1:61766    10.1.50.200%1:80  10.1.58.99%1:61766    10.2.92.180%1:80  tcp  28   (tmm: 0)  none                            none
10.2.85.43%1:51172    10.1.50.200%1:80  10.2.85.43%1:51172    10.2.92.180%1:80  tcp  39   (tmm: 0)  both-sides(none;none)  none
...
10.1.123.45%1:59943   10.1.50.200%1:80  10.1.123.45%1:59943   10.2.75.150%1:80  tcp  2    (tmm: 1)  none                             none
10.1.87.101%1:55831   10.1.50.200%1:80  10.1.87.101%1:55831   10.2.92.180%1:80  tcp  6    (tmm: 1)  none                               none
Total records returned: 1000

    Although there are 1000 established connections, my main interest is in half-open connections, as these are the ones that trigger the SYN cookie mechanism. According to the documentation, these half-open connections appear as "Current SYN Cache" in the output of the show ltm virtual <virtual> command.

    Just to clarify, is there a specific OID or SNMP method to directly monitor the number of half-open connections between the clients and the virtual server, or would the TCP Half Open monitor still be the best approach to track this metric?

    Thank you again for your assistance!

    Best regards,