For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Oct 12, 2015

When TCP Idle Timeout counter starts

Hi,

 

I checked related SOL and docs and still I am not sure how this timeout works. Logically it should be used for established TCP connections - so only for connections that finished 3WHS. Probably it's the case.

 

I wonder however which counter/parameter is responsible for managing situation when there is no reply to SYN-ACK - and we are not talking about SYN flood case.

 

I would like to setup TCP profile so it wait's 300 s for ACK to SYN-ACK. Can't see relevant option in TCP profile (11.6) but I am not TCP expert so maybe I missed something obvious?

 

Piotr

 

application delivery
deployment
design
LTM
performance
TMOS

4 Replies

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Oct 13, 2015
      Hi, Just working on some migration from Cisco CSS. There is setting in config "flow permanent" that is described in manual like that: To define a set of TCP or UDP ports that will have permanent connections and will not be reclaimed by the CSS when the flows are inactive, use the flow permanent command. By default, the CSS may reclaim TCP/UDP flows that have not received an ACK or content request after approximately 15 seconds. Use the no form of this command to disable a permanent connection by setting its port number to 0. Most important from above is sentence: "By default, the CSS may reclaim TCP/UDP flows that have not received an ACK or content request after approximately 15 seconds" Maybe I am wrong but "have not received an ACK" in above sentence sounds for me as situation when client sending SYN was replied with SYN+ACK but never send ACK - typical not finished 3WHS - but maybe I am wrong as I am not Cisco expert. That's why I am trying to figure out what is responsible for timeout in such situation on F5. Idle Timeout should handle without issue situation when 3WHS was finished (so we have established TCP connection in Connection Table) but at some point no more packets is arriving via this connection. I assume that counter is starting each time packet is received and is reset when next packet arrives. Question is if the same counter is used for unfinished 3WHS situation or some other, or some RFC defined default is used? Piotr
  • steigman1978_87's avatar
    steigman1978_87
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2015

    Hi Piotr,

     

    not sure if I understand your question right, but maybe the option "TCP Handshake Timeout" in a FastL4 is what you are looking for?

     

    Best regards, Patrick

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2015

    HI,

     

    That is probably closest to what I am looking for but for some reason only FastL4 not in TCP.

     

    Anyway more important here is when Idle Timeout counter starts to tick - only after 3WHS finished or from first SYN packet received - that would be not logical as there is yet no TCP connection established but...

     

    If Idle Timeout is working as above then what is timeout for 3WHS for TCP profile - as already stated there is no such setting in TCP profile - so maybe some there is some hard coded default here?

     

    Piotr