Forum Discussion
NimbostratusTCP Profile - extremely pushy F5 (RST after 300 us)
Hello Team,
I do have VIP with the Pool of two servers and standard profile protocol: TCP.
What i have noticed that after TCP SYN packet is routed by F5 to real server F5 is extremely pushy and expects the answer (SYN ACK) in around 300 us. If not getting that answer in that time it is sending TCP RST to both real server and client. This is what is do see on the real server:
20:23:57.147148 IP 172.16.33.1.50197 > 172.16.34.101.80: Flags [S], seq 3228024889
20:23:57.147409 IP 172.16.33.1.50197 > 172.16.34.101.80: Flags [R], seq 3228024890
20:23:57.147416 IP 172.16.34.101.80 > 172.16.33.1.50197: Flags [S.], seq 2676604517
As you can see in my scenario real server is always a bit late (it's not that fast).
This is the standard TCP profile i am using:
profile tcp tcp {
reset on timeout enable
time wait recycle enable
delayed acks enable
selective acks enable
proxy max segment disable
proxy options disable
deferred accept disable
ecn disable
limited transmit enable
nagle disable
timestamps enable
slow start enable
ack on push disable
idle timeout 300
time wait 2000
fin wait 5
close wait 5
send buffer 32768
recv window 32768
keep alive interval 1800
max retrans syn 3
max retrans 8
congestion control highspeed
zero window timeout 20000
}
I have tried to tune it changing multiple options but without success.
Which option should i choose to prevent F5 sending that RST packet so quickly ?
Thanks, Michal
18 Replies
teknet7_237497OK, few more tests: ihealth - very nice tool (i will use it from now on) but with this specific issue did not help.
But i have found one profile which is working fine: fasthttp.
If i do understand correctly the only big difference between this profile (working) and all others (non working) is SNAT.
To confirm this i have configured Standard profile but with SNAT enabled - and indeed it's working fine.
Any ideas/suggestions ? Why do i need to have SNAT enabled to have it working ? Why without SNAT F5 is behaving that strangely ?
Thanks, Michal
- teknet7_237497
OK, few more tests: ihealth - very nice tool (i will use it from now on) but with this specific issue did not help.
But i have found one profile which is working fine: fasthttp.
If i do understand correctly the only big difference between this profile (working) and all others (non working) is SNAT.
To confirm this i have configured Standard profile but with SNAT enabled - and indeed it's working fine.
Any ideas/suggestions ? Why do i need to have SNAT enabled to have it working ? Why without SNAT F5 is behaving that strangely ?
Thanks, Michal
- Carl_Brothers
Employee
In many environments, the f5 is on the same network as the servers it manages app traffic for. In these cases, we have to use a SNAT profile to ensure traffic routes back through our device, because otherwise the server will respond to the client and the client will ignore it because it did not request data from the server.
For an example of most of our best practices, run the HTTP iapp to create the virtual server. With this it asks guiding questions and then makes all of the necessary objects. Then you also get a great treeview of all config objects used to build a VIP.
Unless your servers use your F5 as their default gateway, SNAT is needed.
- teknet7_237497
Hi Carl,
Thank you for the answer. You are 100% right. You have solved my problem.
Thanks a lot !
