Forum Discussion
JamesCrk
Cirrus
CirrusStateless routing
HI all, as per K7595 we created a route forwader with loose initation and loose close enabled, however we still have traffic hitting this route forwarder get dropped as out of state every month or so...
wtwiggs
Altocumulus
Altocumuluswhat do you have configured for "Reset on Timeout" on the profile? also what is your timeout value set to?
also is SYN cookie protection (challenge) disabled? see https://my.f5.com/manage/s/article/K99545311
can you share more details on the virtual server configuration (you mention /32 mask) as well as the protocol profile configuration? and what version are you running?
JamesCrkHi this is what we have configured:
ltm profile fastl4 /Common/my_route_friendly_fastl4 {
app-service none
defaults-from /Common/fastL4
idle-timeout 300
loose-close enabled
loose-initialization enabled
reset-on-timeout disabled
syn-cookie-enable disabled
syn-cookie-whitelist disabled- wtwiggs
that looks good. fyi, we are using similar "stateless" ip forwarding virtual servers extensively in our datacenter with inline i5800 appliances and no issues. we use wildcard forwarders (0.0.0.0/0) and route domains to carve up different segments. combination of static and dynamic routing. this way our clients go thru the F5 with no SNAT requirement on datacenter apps.
other couple of things comparing configs you might check/verify:
in the forwarding virtual server properties do you have source-port preserve-strict enabled? ran into a "bug" where sometimes this can be a problem if not set to "strict" and ports were translating and that could cause a RST if the end to end port pair/socket is now different.
and translate-address and translate-port disabled?
and is your protocal set to any (not just tcp or udp)?
sample:
ltm virtual sample_forwarder {
destination 0.0.0.0%4:any
ip-forward
mask any
profiles {
profile_dc_fastl4 { }
}
source 0.0.0.0%4/0
source-port preserve-strict
translate-address disabled
translate-port disabled
vs-index 4
}also curious about your /32 on the listener? what is the use case you are doing? as mentioned ours are wildcard and we then let routing decide how to move the packet. we don't have any gateway IP on the F5 since a downstream router is the subnet's gateway, and we have routing established between the F5 and router. but if you do have gateways on the F5 are they being accomplished thru this /32 or via a separate self IP (floating if you are doing redundant and basically similar to vrrp/hsrp)? we've done that before, using self IP as the subnet gateway and wildcard forwarder to pass all the stateless packets thru once the devices arp for the gateway.
hope this helps please share more info and maybe another idea/detail will surface...
- JamesCrk
Sorry for the delay this is what the VS has:
ltm virtual /PRODUCTION/FWD_10.150.10.10_VS {
destination /10.150.10.10/10.150.10.10%1:0
ip-forward
mask 255.255.255.255
profiles {
/Common/my_route_friendly_fastl4 { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
}
It’s a strange story as to why we have these here in the first place, we have a 10.0.0.0/8 route forwarder aswell, when this issue first occurred a year or two ago immediately following an upgrade, TAC got involved and could see the connection broken because no routing was happening, they put this /32 and immediately resolved the issue, much to my argument that this had worked fine for years until then with only the /8 route forwarder, but we couldn't argue with results.
And for an additional piece of information, this traffic flow that gets broken occasionally, is bigd between two gtm devices, this ltm sits in between them doing nothing more than routing and firewalling. Its hard to be sure but it appears bigd doesn’t honour the tcp reset and keeps trying to use the same session, we never touch the gtm's to fix this, just delete and re-add the forwarder and all works again.