For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

steelplate_8766's avatar
steelplate_8766
Icon for Nimbostratus rankNimbostratus
May 25, 2010

sNAT to Windows server and port collision

Hi, I have an F5 doing sNAT, and the problem I face is that the windows server keeps the port in time_wait (currently default 240 seconds windows 2003 server). The F5 will attempt to reuse the client...
config
design
steelplate_8766's avatar
steelplate_8766
Icon for Nimbostratus rankNimbostratus
Jun 16, 2010
I have been reading RFC 1337 , TIME-WAIT Assassination Hazards, and running some direct to windows server tests (no f5) can see port reuse successful within the time_wait period, due to MS implementing this feature.

 

 

However, when using sNAT on the f5, the ISN generated doesn't fall within a range MS consider valid for time_wait assassination, so it ignores it.

 

 

Does anyone know if the f5 is assuming assassination is working , hence quickly reusing the port, and if so, can this be turned off for outbound connections ?

 

 

and does anyone know what the algorithm f5 uses for ISN is (I know about the security aspects of asking such a question, but wrt rfc 1337 they could give enough detail to see if it's compatible with MS's tcp stack ?)