Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

LTM Websense loadbalancing VIP resets connection

The traffic flow for this connection is:

 

DMZ(on firewall) 10.0.0.0/24 range -> hits a IP 192.168.1.x -> SRC NAT(outgoing interface of the fw) and DST NAT (to VIP:8080) -> NO AUTO MAP, Persistence used -> Loadbalanced across websense pool -> reply goes back the same interface of the fw which was used for the src NAT IP.

In the pcaps from LTM, the VIP resets the connection after a GET from the src NATTED IP. And the reset from the LTM only says "TCP retrasmission timeout".

 

From read this thread: https://devcentral.f5.com/questions/load-balancing-web-proxy-servers

 

It seems that the TCP profile low time out value could be as issue here but I'm not sure and not sure how to test this.

 

On another note I feel the SRC NATTED address on the fw interface is exhausting its limit of 64k ports and hence the LTM is failing to respond in time.

 

What troubleshooting approach can I go to from here. Just started with f5s.

 

Thanks.

 

1 ACCEPTED SOLUTION

The backend websense node just didnt have a route back to the fw's natted IP address and so it was never responding, once that was added the issue is solved now.

 

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

It sounds to me that you have an asymmetric traffic path with a virtual that expects traffic to return through the LTM.

 

If you want to use an asymmetric traffic path, you need to use n-Path routing which requires a Performance Layer-4 virtual with a FastL4 profile implementing Loose Initiation/Loose Close

 

Alternatively, to use a Standard virtual, traffic must return to the LTM by using a SNAT/SNAT Automap configuration.

 

The backend websense node just didnt have a route back to the fw's natted IP address and so it was never responding, once that was added the issue is solved now.