For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

steelplate_8766's avatar
steelplate_8766
Icon for Nimbostratus rankNimbostratus
May 25, 2010

sNAT to Windows server and port collision

Hi, I have an F5 doing sNAT, and the problem I face is that the windows server keeps the port in time_wait (currently default 240 seconds windows 2003 server). The F5 will attempt to reuse the client port within that interval and as it causes a port collision, the syn's don't even get ack's. Windows is doing a full tcp port close (fin,ack with ack response in both directions), so the f5 deems it ok to reuse the port. My understanding is that the f5 shouldn't try to reuse this port for 2MSL , but where can I find the default MSL for the F5, as I should make windows TCPTimedWaitDelay =< the f5 2MSL ? I tried setting the f5 to always change client port, as this should have caused the f5 to use a new port that wasn't in use, but instead it makes the problem worse, I see the f5 use try to reuse the changed client port in < 1 second, again I assume this is because the f5 sees a full close. How have other users dealt with this problem as it must have effected many other users.
config
design

14 Replies

Show More
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 18, 2010
    How many connections/second does this SNAT handle? Are you using too many connections to adhere to any sensible times for socket reuse perhaps? What happens if you use a SNAT pool with more addresses?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 18, 2010
    You could use an F5 customization of tcpdump and Wireshark to record the connection ID's. This should make it much easier to correlate the client and server side connections without using the source port.

     

     

    http://devcentral.f5.com/Forums/tabid/1082223/asg/52/showtab/groupforums/aff/31/aft/31014/afv/topic/Default.aspx

     

     

    http://devcentral.f5.com/Wiki/default.aspx/AdvDesignConfig/F5WiresharkPlugin.html

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 18, 2010
    Is time wait cycle on the TCP (server) profile enabled or disabled?

     

     

    What's the Time Wait setting on the tcp profile? (Default is only 2000ms).

     

     

  • steelplate_8766's avatar
    steelplate_8766
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2010
    wow, thanks for the detail on the F5 plugin, that will make life easier for sure !

     

     

    we have multiple IP's in the sNAT pool

     

     

    time wait is set to 300000 ms , though I believe this is the f5 time wait, and has no effect on the server timewait or how the f5 acts when the server is in timewait

     

     

    time wait recycle is currently enabled, and we tried disabled, but as above, as this is a server timewait, I don't think this will make any difference

     

     

    we replicated this failure with 1 user on their second tcp connection when we use port change. after the first tcp connection closed, the server went to time-wait, and then client spawned a new connection with client local port +1. The f5 tried to reuse the same local port from the previous connection to the server, and got no response. This was within 3 seconds of the previous connection closing, so AFAIK, the f5 should NOT have attempted to reuse the server socket because as per the rfc , it would be in timewait.

     

     

    I thought that maybe the f5 would attempt reuse with tcp assassination principles, but if it is, it's failing as the ISN's aren't acceptable by the server for assassination to work.