TCP KeepAlive - Avoid long client connection without data

Do you know how often the keepalive is sent? You could reduce the TCP profile Idle Timeout to below it's value?

OK, so, how do we know when the last request has been sent?

If its http (with an http profile) you can separately set the max number of http requests and the max http idle time (which is separate from the tcp idle times).

 

 

H

The BigIP should be able to know for a given connection context when the last http response has been sent ? And then with a timer, force a connection to close when timeout.

 

This is how the keepalive works on webserver...

Did you see Hamish's post above. I can't confirm the HTTP Idle Time setting as my VE is down but it sounds like what your looking for.

@Hamish: I can define a "max-requests" to apply to my http profile, but how can I set a max idle time to http profile ...?

 

 

show sys version

 

 

Sys::Version

 

Main Package

 

Product BIG-IP

 

Version 11.2.1

 

Build 862.0

 

Edition Hotfix HF2

 

I'm not sure there is an HTTP timeout control, and what you're asking for isn't trivial.

Aside from that, I can think of potentially two options (albeit sub-optimal):

1. Force a "Connection: Close" header in HTTP responses. Probably not the best performance you'll get since you're not allowing any keep-alives at all, but you should be able to thwart the client's keep-alives.

2. A timer function in iRules. I would stress that this could be potentially dangerous, if not simply memory intensive, so please test vigorously if you choose something like the following:

when HTTP_RESPONSE {
if { not ( [info exists timer] ) } {
set timer [after 8000 { TCP::close }]
} 
}

@Kevin: Thanks for your suggestion,

 

 

The first proposition is not acceptable since keepalive are really a good option

 

The second one, like you said, seems to lead in a dangerous way (with reject in place of TCP::close()) but could work...

 

I'm really surprised, I think that all the public website delivered using BigIP should not allow indefinite connection ?

 

In your case ? How do you do ?

 

I think it's safe to say that since HTTP isn't a persistent protocol by nature, it isn't generally a problem for ~most web applications. So when you say "indefinite connections", are simply referring to HTTP keep-alives, or some other method of keeping the TCP session open?

Actually I'm refering to keeping TCP session open.

 

I've already tried to control this with the cisco asa which is before the BigIP, but the "tcp idle time" considers the tcp keepalive (tcp trame without data) as activity, so like the BigIP, the idle time is continuously reset..