Multiple TCP Retransmission and Out-of-order packets with SNAT disabled

Question

I have a unique setup that requires SSL VPN users to get an ip from a pool based on an Active Directory membership. This IP pool then has various firewall rules it is assigned to on a Checkpoint firewall. Users are complaining of slow speed, and after setting up an IP forwarding VS I'm seeing better speeds, but am still seeing a tcp retransmit or out-of-order packet for every packet going through the VS.

utahman3431_307 · Answer

Here's the setup I have.  There's 3 virtual servers involved.  The first server is the new IP Forwarding server F5 helped me setup.  The second server is the one that forwards http traffic to our https VS.  the third VS is the one that handles the rest of the connection.&nbsp;
I was thrown into this project with no F5 knowledge, so please excuse my ignorance if I have this setup completely incorrect. &nbsp;
&nbsp;
I tried adding this code in separately, but F5 was marking is as spam for some reason...&nbsp;
Here's a snapshot of what I'm seeing on my packet captures:&nbsp;
&nbsp;
I've been working with F5 support on this, and they were the ones that got me to setup the IP forwarding server, but unfortunately I cannot use SNAT.  It won't allow our firewall rules to be processed correctly.  Here's a quick look at what the packet capture to the same site looks like with SNAT enabled:&nbsp;
&nbsp;
Does anyone have an idea of what could be going on?&nbsp;

Forum Discussion

Multiple TCP Retransmission and Out-of-order packets with SNAT disabled

1 Reply

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

Using n8n To Orchestrate Multiple Agents

TCP Out-of-order, TCP Dup ACK, and TCP Retransmission packets are displayed.

How to allow F5 to do basic routing and allow out of order syn-acks

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

Investigating the LTM TCP Profile: Max Syn Retransmissions & Idle Timeout

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS