Forum Discussion

Sayali's avatar
Sayali
Icon for Altocumulus rankAltocumulus
Mar 24, 2020
Solved

How to allow F5 to do basic routing and allow out of order syn-acks

Hi,

 

I am pretty new to F5 Load balancers so this might be a very simple question.

 

I have below setup:

 

Client --- > LB (VIP) ---> Servers.

  • I am not SNATing so the LB retains source IP when sending traffic to the servers.
  • But, to ensure that return traffic traverses via LB, I have added a static route on my servers (just for my client IP) to go via LB's interface self IP (IP in the subnet of my nodes/servers).

 

When I access VIP with this setting, I am not able to load the page completely - which I believe might be something in our application.

 

But, even if I access the node directly (with static route on servers), LB seems to drop the return traffic. I see SYN-ACKs being RST. (It does not see the SYNs because it probably follows different path).

I have Forwarding IP Virtual server (With FastL4) allowing on all VLANs for any source and any destination.

I am running 15.1.0 version.

Verified that F5 can ping client IP and back-end nodes.. so it knows how to reach back the client.

 

Any ideas why F5 would block out of order SYN-ACKs? Is there any other obvious configuration that I missed?

 

 

  • Create a new fastL4 profile based on the default called fastl4_loose and select loose init and loose close. Disable reset on timeout. Apply it to your virtual server

5 Replies

  • Create a new fastL4 profile based on the default called fastl4_loose and select loose init and loose close. Disable reset on timeout. Apply it to your virtual server

    • Sayali's avatar
      Sayali
      Icon for Altocumulus rankAltocumulus

      Pete.. this seems to have worked. With a Forwarding-Rule virt along with settings you specified, LB no longer resets out of order syn-acks.

      Thanks a lot.

  • You might also need an outbound SNAT configured to SNAT the traffic back to the VIP.

  • Yeah.. unfortunately we have a requirement to not use SNATs and retains the source IPs. But, thanks for your help.