Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Removing idle connection

Nat24
Nimbostratus
Nimbostratus

‎06-Sep-2023 00:59

Hi Experts,

We are in this kind of situation wherein BIG-IP is keeping connections for more than an hour. We found out the reason why BIG-IP is behaving this way is because the server is continuously sending keep-alive packets to BIG-IP and, this is also the reason why TCP timeout is not kicking in.

What we want to achieve here is to remove idle connection which doesn't transmit or send data for a period of time. Is there other timeouts we can utilize like SSL timeout or any settings in SSL or other profiles that can remove or check the existing connection if it's still in use or not? 

Or maybe do know some iRule to use in this kind of situation.

0 Kudos
6 REPLIES 6

Paulius
MVP
MVP

‎06-Sep-2023 07:04

@Nat24 Are you performing SSL termination on the F5 or is it terminated at the pool members?

0 Kudos

Nath
Cirrostratus
Cirrostratus
In response to Paulius

‎06-Sep-2023 23:06

SSL termination is done by BIG-IP, the traffic is not HTTP and that is why we are having hard time monitoring the session if there are payload being sent since the start of connection. So basically we just wanted to overwrite the TCP idle timeout session and flush connections that go beyond 30mins since the start of session.

0 Kudos

Paulius
MVP
MVP
In response to Nath

‎07-Sep-2023 06:29

@Nath I haven't had the opportunity to do it but you might be able to monitor the connection and when the F5 sees the keepalive flag come across it can set a timer and then kill the connection after a certain time. I do not believe this is the best use of the F5 because it's unnecessary overhead and is better handled by the server or you can just turn off keepalive if the majority of these connections are just sitting.

0 Kudos

Nat24
Nimbostratus
Nimbostratus
In response to Paulius

‎09-Sep-2023 21:01

Thanks Paulius, I think we will just blindly close the session after 30 mins using an iRule. Since we observed that legit traffic with payload only lasts 4-5 seconds per transaction.

Hopefully this iRule help/works on our PROD.

 

when CLIENT_ACCEPTED {

set rtimer 0
after 900000 {
if { not $rtimer} {
log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
drop
}
}

}

 

0 Kudos

Paulius
MVP
MVP
In response to Nat24

‎10-Sep-2023 21:15

@Nat24 The downside to arbitrarily closing tcp connections based on time open is they could be legitimate connections that you're closing. If you know most users get what they need in 4-5 seconds per transaction I would just turn off keepalive and then you won't have to deal with reaping connections at all.

0 Kudos

PSFletchTheTek
MVP
MVP

‎13-Sep-2023 08:09

I don't know, but you want something that looks at throughput and possibly when it slows down or stays the same kills it. Rather than just relying on timealone.

As @Paulius that could cause the users/clients issues up stream.
Is there anything the application could do?

0 Kudos
Copyright © 2023 Khoros, LLC