Forum Discussion
Nimbostratus[Where/How] to use OneConnect for permanent connection?
Guys, I've been trying to get F5 to setup a permanent connection using OneConnect to a real server but couldn't make it work.
So, here's what I have in my setup (all in Lab):
Virtual Server: 111.111.111.111
No default pool member, No persistence profile.
I do a pool redirection using irule, whether it's going to pool A or pool B (different application).
Now the Pool A application team needs this connection to be in permanent connection.
So in pool A node member consists of 192.168.13.250:20000.
I've tried using OneConnect profile in virtual server 111.111.111.111 but to no avail.
I do a tcpdump and see that F5 is actually sending a Reset flag at the end of connection instead of making it permanent for subsequent traffic to use:
14:41:33.166478 IP 192.168.1.100.56678 > 192.168.13.250.20000: R 105:105(0) ack 308 win 4687
Being mindful that all these are SSL packets.
Is there anyway to make this OneConnect works? Or am I missing something?
Thanks.
26 Replies
- nitass
Employee
is the reset initiated by bigip indeed? can you check why bigip sends reset?
sol13223: Configuring the BIG-IP system to log TCP RST packets
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.htmli did a bit test and it seems okay here.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } oneconnect { } serverssl { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 26 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:443 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]" } when HTTP_RESPONSE { log local0. "[IP::local_addr]:[TCP::local_port]" } when CLIENT_CLOSED { log local0. "[IP::client_addr]:[TCP::client_port]" } when SERVER_CONNECTED { log local0. "[IP::local_addr]:[TCP::local_port]" } when SERVER_CLOSED { log local0. "[IP::local_addr]:[TCP::local_port]" } } test by sending 10 requests (1 request per connection) [root@ve11a:Active:In Sync] config tail -f /var/log/ltm May 18 22:02:33 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37085 May 18 22:02:33 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37085 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37086 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37087 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37087 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37087 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37088 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37088 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37088 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37089 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37089 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37089 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37090 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37090 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37090 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37091 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37091 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37091 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37092 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37092 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37092 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37093 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37093 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 200.200.200.14:37085 May 18 22:02:34 ve11a info tmm[14715]: Rule /Common/qux : 172.28.24.1:37093 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37094 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37094 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 200.200.200.14:37086 May 18 22:02:34 ve11a info tmm1[14715]: Rule /Common/qux : 172.28.24.1:37094 [root@ve11a:Active:In Sync] config grep CLIENT_ACCEPTED /var/log/ltm | wc -l 10 [root@ve11a:Active:In Sync] config grep HTTP_REQUEST /var/log/ltm | wc -l 10 [root@ve11a:Active:In Sync] config grep SERVER_CONNECTED /var/log/ltm | wc -l 2 [root@ve11a:Active:In Sync] config tmsh show ltm profile one-connect ----------------------------------- Ltm::OneConnect Profile: oneconnect ----------------------------------- Virtual Server Name N/A Connections Current Idle 0 Maximum 2 Total Reuses 8 New 2 
ciscoarcHmm. The counter "TCP Reset from Remote System" increased.
Strangely I didn't see any Reset from either client or server in tcpdump, it's only from F5..
- ciscoarc
Actually now I am confused.
Come to think of a traffic flow, following my IP address scheme:
A client (IP Address A.B.C.D) connects to Virtual Server 111.111.111.111 (F5)
F5 then forward it to the pool member, in this case 192.168.13.250 on TCP port 20000.Then after this finishes, the client (A.B.C.D) sends a Reset flag, stating that it has finished sending packet. No more packets left. F5 acknowledges it.
So where and when does the Oneconnect kick in, and how does it keep the TCP 20000 open for other packet to be used?
- nitass
Then after this finishes, the client (A.B.C.D) sends a Reset flag, stating that it has finished sending packet.
shouldn't client send FIN instead of RST?
- ciscoarc
Uh yeah I meant Fin flag. Sorry. Coffee didn't help much I guess.
I am still not sure where Oneconnect kicks in.
- nitass
this is what i understand...
configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar80 ltm virtual bar80 { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo80 profiles { http { } my1connect { } tcp { } } rules { myrule80 } source 0.0.0.0/0 source-address-translation { type automap } vs-index 28 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo80 ltm pool foo80 { members { 200.200.200.101:80 { address 200.200.200.101 } } } // to not worry about timeout (when testing), i used indefinite idle timeout. root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile one-connect my1connect ltm profile one-connect my1connect { app-service none idle-timeout-override indefinite } testing // send 1 request to virtual server. client sends FIN after receiving the response. // anyway, bigip does not forward FIN to server. leave the serverside connection idle to be reusable. [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:39:32.181811 IP 172.28.24.1.37779 > 172.28.24.10.80: S 1513065117:1513065117(0) win 5840 in slot1/tmm1 lis= 00:39:32.181893 IP 172.28.24.10.80 > 172.28.24.1.37779: S 1841142685:1841142685(0) ack 1513065118 win 4380 out slot1/tmm1 lis=/Common/bar80 00:39:32.186315 IP 172.28.24.1.37779 > 172.28.24.10.80: . ack 1 win 5840 in slot1/tmm1 lis=/Common/bar80 00:39:32.187614 IP 172.28.24.1.37779 > 172.28.24.10.80: P 1:88(87) ack 1 win 5840 in slot1/tmm1 lis=/Common/bar80 00:39:32.187714 IP 200.200.200.14.37779 > 200.200.200.101.80: S 3626688258:3626688258(0) win 4380 out slot1/tmm1 lis=/Common/bar80 00:39:32.187731 IP 172.28.24.10.80 > 172.28.24.1.37779: . ack 88 win 4467 out slot1/tmm1 lis=/Common/bar80 00:39:32.189422 IP 200.200.200.101.80 > 200.200.200.14.37779: S 1071034751:1071034751(0) ack 3626688259 win 5792 in slot1/tmm1 lis=/Common/bar80 00:39:32.189438 IP 200.200.200.14.37779 > 200.200.200.101.80: . ack 1 win 4380 out slot1/tmm1 lis=/Common/bar80 00:39:32.189490 IP 200.200.200.14.37779 > 200.200.200.101.80: P 1:112(111) ack 1 win 4380 out slot1/tmm1 lis=/Common/bar80 00:39:32.191061 IP 200.200.200.101.80 > 200.200.200.14.37779: . ack 112 win 5792 in slot1/tmm1 lis=/Common/bar80 00:39:32.388023 IP 200.200.200.101.80 > 200.200.200.14.37779: P 1:390(389) ack 112 win 5792 in slot1/tmm1 lis=/Common/bar80 00:39:32.388130 IP 172.28.24.10.80 > 172.28.24.1.37779: P 1:385(384) ack 88 win 4467 out slot1/tmm1 lis=/Common/bar80 00:39:32.388154 IP 200.200.200.14.37779 > 200.200.200.101.80: . ack 390 win 4769 out slot1/tmm1 lis=/Common/bar80 00:39:32.388162 IP 172.28.24.10.80 > 172.28.24.1.37779: F 385:385(0) ack 88 win 4467 out slot1/tmm1 lis=/Common/bar80 00:39:32.392468 IP 172.28.24.1.37779 > 172.28.24.10.80: . ack 385 win 6432 in slot1/tmm1 lis=/Common/bar80 00:39:32.392475 IP 172.28.24.1.37779 > 172.28.24.10.80: F 88:88(0) ack 386 win 6432 in slot1/tmm1 lis=/Common/bar80 00:39:32.392498 IP 172.28.24.10.80 > 172.28.24.1.37779: . ack 89 win 4467 out slot1/tmm1 lis=/Common/bar80 // show sys connection and show oneconnect statistic root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol tcp Sys::Connections any6.any any6.any 200.200.200.14:37779 200.200.200.101:80 tcp 3 (tmm: 1) none root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm profile one-connect my1connect ----------------------------------- Ltm::OneConnect Profile: my1connect ----------------------------------- Virtual Server Name N/A Connections Current Idle 1 Maximum 1 Total Reuses 0 New 1 // after 15 seconds, server sends FIN to close the connection. 00:39:47.413593 IP 200.200.200.101.80 > 200.200.200.14.37779: F 390:390(0) ack 112 win 5792 in slot1/tmm1 lis=/Common/bar80 00:39:47.413636 IP 200.200.200.14.37779 > 200.200.200.101.80: . ack 391 win 4769 out slot1/tmm1 lis=/Common/bar80 00:39:47.413647 IP 200.200.200.14.37779 > 200.200.200.101.80: F 112:112(0) ack 391 win 4769 out slot1/tmm1 lis=/Common/bar80 00:39:47.415217 IP 200.200.200.101.80 > 200.200.200.14.37779: . ack 113 win 5792 in slot1/tmm1 lis=/Common/bar80 // serverside connection is gone root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol tcp Sys::Connections root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm profile one-connect my1connect ----------------------------------- Ltm::OneConnect Profile: my1connect ----------------------------------- Virtual Server Name N/A Connections Current Idle 0 Maximum 1 Total Reuses 0 New 1 - ciscoarc
Thanks nitass, I still can't get it to work after mucking with it for 2 days..
Does oneconnect only work with http? I only use TCP..
Also, I don't know where that Reset comes from. From F5, it says received from peer. From apps server it says connection reset by peer.
- ciscoarcIt appears that F5 is sending the Reset flag. At the end of a packet, F5 decides to send the server an RST flag, thus the oneconnect doesn't work properly..
- ciscoarc
Is there anyway to make a permanent connection besides using OneConnect?
Eg: when adding a pool member, I noticed that F5 is actually connecting to the pool member on the specified port. Is it possible to make F5 create a permanent connection at this stage and every other subsequent traffic is using this connection?
- nitass
Does oneconnect only work with http? I only use TCP..
since you do not use http profile, i understand you may have to manually detach serverside connection (i.e. LB::detach) when transaction is done (because bigip does not know when it is considered complete). this is one of nice articles about oneconnect (anyway it may not answer your question).
OneConnect? For my iRule? by Deb Allen
https://devcentral.f5.com/articles/oneconnect-for-my-irule.U3wvUCjNyCQ
Eg: when adding a pool member, I noticed that F5 is actually connecting to the pool member on the specified port. Is it possible to make F5 create a permanent connection at this stage and every other subsequent traffic is using this connection?
another method is to use mblb but it is experimental command (i.e. LB::context_id, LB::dst_tag, LB::src_tag).
- ciscoarc
Ok, so apps team finally have replaced the software and now it no longer sends a RST flag. However OneConnect still doesn't work. After consecutive 4 or 5 traffic, F5 still opens a new TCP port to the server.
Can anyone help? Thanks.
- Torti
Cirrus
isn't oneconnect designed for http connections only? http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html?sr=38375186 -> first part and recommendations at the end - ciscoarcNo idea actually. Thus asking for confirmation here. If it only applies for HTTP connections, then I can't use it..
