Forum Discussion

fanttazio_23961's avatar
fanttazio_23961
Icon for Altostratus rankAltostratus
Jul 18, 2016

TCP reset connection with MSSQL

Hello all,

Disclaimer: I'm not an F5 expert and just started working and learning it so apologies in advanced if I say something that doesn't make sense or wrong. The issue:

We are doing SSL offloading with F5 and we are experiencing an issue. The TCP connection gets reset between F5 and SQL server by the F5. Below is what is see between F5(172.16.0.1) and SQL server (82.99.227.18):

No.     Time           Source                Destination           Protocol Length Info
     15 8.100124       172.16.0.1          82.99.227.18          TCP      60     2903 → 1433 [SYN] Seq=0 Win=512 Len=0

Frame 15: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: a2:8a:27:00:00:4c (a2:8a:27:00:00:4c), Dst: Microsof_86:13:39 (00:15:5d:86:13:39)
Internet Protocol Version 4, Src: 172.16.0.1, Dst: 82.99.227.18
Transmission Control Protocol, Src Port: 2903 (2903), Dst Port: 1433 (1433), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     16 8.100248       82.99.227.18          172.16.0.1          TCP      58     1433 → 2903 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460

Frame 16: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: Microsof_86:13:39 (00:15:5d:86:13:39), Dst: a2:8a:27:00:00:4c (a2:8a:27:00:00:4c)
Internet Protocol Version 4, Src: 82.99.227.18, Dst: 172.16.0.1
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 2903 (2903), Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     17 8.100655       172.16.0.1          82.99.227.18          TCP      60     2903 → 1433 [RST] Seq=1 Win=0 Len=0

Is this normal? We are doing SSL offloading between SQL client and F5 and right now we are not able to establish a connection between the server and client and I'm tshooting the problem. Right now I want to make sure that the connection between the F5 and server is functional and then go to the F5 and client leg. in this scenario F5 is only doing the SSL offloading.

Thanks

  • OK. I think I've found my answer. This should be the monitoring mechanism by the F5:

     

    Monitoring section on https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9812.html

     

    The tcp_half_open monitor performs a simple check on the pool member service by sending a TCP SYN packet to the service port. When the monitor receives the SYN-ACK packet from the pool member, the monitor considers the service to be up, and sends a TCP RST packet to the service instead of completing the three-way handshake. The TCP RST packet is typically sent on the server side of the connection, and the source IP address of the reset is the relevant self IP address of the VLAN.

     

  • OK. I think I've found my answer. This should be the monitoring mechanism by the F5:

     

    Monitoring section on https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9812.html

     

    The tcp_half_open monitor performs a simple check on the pool member service by sending a TCP SYN packet to the service port. When the monitor receives the SYN-ACK packet from the pool member, the monitor considers the service to be up, and sends a TCP RST packet to the service instead of completing the three-way handshake. The TCP RST packet is typically sent on the server side of the connection, and the source IP address of the reset is the relevant self IP address of the VLAN.