TCP profile and Idle Timout

Question

Hello -&nbsp;
&nbsp;Hoping someone can help me identify why the expected RST is not being sent.  I have an issue with long running AJAX sessions running on my web servers.  We recently switched from LVS to bigip LTMs, and rather than figure out a solution in our application code, wanted to see if the idle timeout on the F5 would help us.  In a test environment, I have a tcp profile set to enable reset on timeout and a value of 120 seconds.  I start a session for a client, and then browse away and watch the idle time climb.  Eventually hits 360 seconds (even though a b client x.x.x.x idle timeout shows 120) where my php code closes the session with a FIN, ACK.  Don't know where else to check on my system as to why it won't send a rst when the idle time hits 120 on the session. &nbsp;
&nbsp;Thanks for all the help.&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi Ryan,  
&nbsp;  
&nbsp; I think this might be due to several idle timeouts.  Do you have SNAT automap enabled on the virtual server?  Can you list the virtual server config and reply with an anonymized copy using 'tmsh list ltm virtual VS_NAME'? 
&nbsp;  
&nbsp; Aaron &nbsp;

nitass · Answer

just in case you have not yet seen this sol. 
&nbsp;  
&nbsp; sol7606: Overview of BIG-IP idle session timeouts 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/600/sol7606.html

ryan_bachman_78 · Answer

Thanks to both of you for the quick reply.  So is it my understanding that I can't enforce timeouts using Auto SNAT?  Is there really no way to configure this setting?  The lvs I replaced was configured for direct return, so in order to install the F5 in a transparent fashion, we deployed it in a 'router on a stick' fashion.  If I switch the VS to use fasthttp profile, I have a solution to my problem, but the business wants to maintain original IPs so I need to inject XFF headers into the requests.  All my traffic is HTTPS, so fasthttp is not an option at this time.  I am including  the config of the VS, but it sounds like I know my answer.  Just don't know if there is an easy solution to my problem.  Thanks.    
&nbsp;  
&nbsp; ltm virtual app.perf. { 
&nbsp;     destination 172.27.37.80:https 
&nbsp;     ip-protocol tcp 
&nbsp;     mask 255.255.255.255 
&nbsp;     persist { 
&nbsp;         cookie { 
&nbsp;             default yes 
&nbsp;         } 
&nbsp;     } 
&nbsp;     pool app_perf_https 
&nbsp;     profiles { 
&nbsp;         http_xff { } 
&nbsp;         perf_ssl { 
&nbsp;             context clientside 
&nbsp;         } 
&nbsp;         serverssl { 
&nbsp;             context serverside 
&nbsp;         } 
&nbsp;         stats { } 
&nbsp;         tcp_lowtimeout { 
&nbsp;             context clientside 
&nbsp;         } 
&nbsp;     } 
&nbsp;     rules { 
&nbsp;         Billing_Reditrect 
&nbsp;     } 
&nbsp;     snat automap 
&nbsp; } &nbsp;

mikand_61525 · Answer

Do you need snat automap then? 
&nbsp;  
&nbsp; I mean doesnt that setting make the server to only see a range of ip's handled by the F5 instead of see the real client ip? 
&nbsp;  
&nbsp; Sure the automap is needed if you have the F5 on a stick without further configuration of your routing but you can rearrange this so the F5 will be in the flow instead by setup 2 network connections from your router to the F5 (call them inside/outside or whatever) and then direct your servers to use the inside ip of your F5 as def gw (or in worst case use VRF in your router :P). 
&nbsp;  
&nbsp; Another method is to physically place the F5 inline between the router and the servers, or for that matter replace your router with your F5 all together (the F5 supports both static routing aswell as dynamic with BGP, OSPF, IS-IS, RIP for both IPv4 and IPv6).

ryan_bachman_78 · Answer

I agree with your assessment that the one arm configuration might not be the best solution, but at this time it is what I have to work with.  I needed something that provided a zero downtime implementation, and I have multiple services on what you would consider the internal subnet, that need to call into the Virtual Servers.  How would the F5 handle traffic for requests to a VIP on the external interface, just to turn it around and load balance it back in.  There are other factors that led me to decide with a one arm deployment as well.  I might re-address the architecture at a later date, now I am just frustrated with getting this LTM to send out RSTs when my connections exceed the idle timeout settings.  I like your suggestion, and will start exploring what that is going to take to get done.  
&nbsp;  
&nbsp; Reading through the docs, I understand that the 10.2.1 version I am running has an indefinite timeout for automap SNAT connections.  I tried to workaround that by setting up a custom SNAT pool and manually setting all timeout values (TCP &amp; IP) to 60 seconds.  I have the same setting in my TCP profile.  My connections timers are still climbing past 60, and reaching the 360 mark where I force the connection closed on the server side.  I also tried an iRule to set the timeout value, and the results were no different.  I guess my question would be, is the F5 supposed to be sending RSTs in the configuration?  I have followed their documentations, and it reads like it should be, but I haven't seen the expected results.   
&nbsp;  
&nbsp; Thanks.

Forum Discussion

TCP profile and Idle Timout

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

idle timouts for the sessions

Update your DevCentral user profile

DoS Profiles

The Inevitability of Idle Resources

Client SSL Profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS