cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to allow F5 to do basic routing and allow out of order syn-acks

Sayali
Altocumulus
Altocumulus

Hi,

 

I am pretty new to F5 Load balancers so this might be a very simple question.

 

I have below setup:

 

Client --- > LB (VIP) ---> Servers.

  • I am not SNATing so the LB retains source IP when sending traffic to the servers.
  • But, to ensure that return traffic traverses via LB, I have added a static route on my servers (just for my client IP) to go via LB's interface self IP (IP in the subnet of my nodes/servers).

 

When I access VIP with this setting, I am not able to load the page completely - which I believe might be something in our application.

 

But, even if I access the node directly (with static route on servers), LB seems to drop the return traffic. I see SYN-ACKs being RST. (It does not see the SYNs because it probably follows different path).

I have Forwarding IP Virtual server (With FastL4) allowing on all VLANs for any source and any destination.

I am running 15.1.0 version.

Verified that F5 can ping client IP and back-end nodes.. so it knows how to reach back the client.

 

Any ideas why F5 would block out of order SYN-ACKs? Is there any other obvious configuration that I missed?

 

 

1 ACCEPTED SOLUTION

PeteWhite
F5 Employee
F5 Employee

Create a new fastL4 profile based on the default called fastl4_loose and select loose init and loose close. Disable reset on timeout. Apply it to your virtual server

View solution in original post

5 REPLIES 5

PeteWhite
F5 Employee
F5 Employee

Create a new fastL4 profile based on the default called fastl4_loose and select loose init and loose close. Disable reset on timeout. Apply it to your virtual server

Pete.. this seems to have worked. With a Forwarding-Rule virt along with settings you specified, LB no longer resets out of order syn-acks.

Thanks a lot.

Great!

Charles_Lamb
Nimbostratus
Nimbostratus

You might also need an outbound SNAT configured to SNAT the traffic back to the VIP.

Sayali
Altocumulus
Altocumulus

Yeah.. unfortunately we have a requirement to not use SNATs and retains the source IPs. But, thanks for your help.