LTM :: Zero Window Server Side :: TCP Profiles
We have a virtual server setup for our receiving mail system, and it has been configured as-is for quite some time (measured in years). Never before has an issue arisen, but recently a particular client has been having problems sending attachments to us (and as far as we are aware, ONLY that client). What they claim to see is that the connection is terminated. Normal email works fine. Small file attachments work fine. However when they send us attachments that are Mb in size, the connection will not be successful. On our side, we see the window size slowly creep down until it hits zero. The BIG-IP probes the mail system, the mail system acks the probe, but keeps the window size at zero. It does this until the zero window timeout is reached on the BIG-IP and the connection is terminated by the BIG-IP (TCP RST). This is what the window decrease looks like on the client side (tcp.stream eq 3 and ip.src eq [the mail system]): This is what the window decrease looks like on the server side (tcp.stream eq 2 and ip.src eq [the VIP]): Client side end of the connection: Server side end of the connection: My impression initially was that this is not a BIG-IP problem... but when we remove the BIG-IP from the path, the connection works fine regardless of attachment size. Again, works fine for everyone else as far as we know regardless of if the BIG-IP is in the path... which is perplexing. Things I've tried: * Switching-out TCP profiles (lan optimized, wan optimized, client and server matching and different in combinations of the above). Now on mptcp-mobile-optimized with defaults. * Moving TLS off of the F5 * Resetting TLS profile to defaults * Different mail systems (of same type/configuration) Current configuration: * VIP on port 25 * TCP profile with mptcp-mobile-optimized w/defaults * SSL Profile (defaults w/cert, optional SSL, allowed cipher suites) * SMTPS Profile (allows TLS) * Pool w/single mail system * iRule w/VIP bounceback * Source IP Persistence VIP bounceback iRule: when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } else { snat none } } Any ideas/thoughts/suggestions all welcome. Thanks for taking the time.
Failed to connect Edge client
Dears, We are having problems during the first connection of the VPN (Edge Client) to the APM, we notice that whenever communication fails during the download of files, TCPDUMP displays to TCP Zero Window Reset in a connection between two internal IPs of BigiP. The following is an excerpt from tcpdump with failure: 16:12:45.141945 IP 127.1.1.1.54395 > 127.0.0.1.8888: Flags [R.], seq 303, ack 409516, win 0, length 0 out slot1/tmm0 lis=_tmm_apm_portal_cache_vip flowtype=135 flowid=5700014DAA00 peerid=5700014D1600 conflags=24800024 inslot=1 inport=1 haunit=0 priority=3 rst_cause="[0x23d7a0a:9397] {peer} TCP zero window timeout" peerremote=00000000:00000000:0000FFFF:0AFA2DA4 peerlocal=00000000:00000000:0000FFFF:7F010101 remoteport=54395 localport=8080 proto=6 vlan=0 16:12:45.142000 IP 127.1.1.1.8080 > 10.250.45.164.54395: Flags [R.], seq 346516, ack 303, win 0, length 0 out slot1/tmm0 lis=_tmm_apm_portal_cache_vip flowtype=71 flowid=5700014D1600 peerid=0 conflags=84800024 inslot=1 inport=1 haunit=0 priority=3 rst_cause="[0x23d7a0a:9397] TCP zero window timeout" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 16:12:45.142002 IP 127.1.1.1.8080 > 10.250.45.164.54395: Flags [R.], seq 346516, ack 303, win 0, length 0 in slot1/tmm0 lis=/Common/CS_EBT_VS_APM_ENDPOINT flowtype=128 flowid=5700014D4300 peerid=5700014D9C00 conflags=84000C24 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:0000FFFF:0AFA2DA4 peerlocal=00000000:00000000:0000FFFF:0A62CA46 remoteport=54395 localport=443 proto=6 vlan=1409 16:12:45.142079 IP 10.98.202.70.443 > 10.250.45.164.54395: Flags [R.], seq 140633, ack 787, win 0, length 0 out slot1/tmm0 lis=/Common/CS_EBT_VS_APM_ENDPOINT flowtype=64 flowid=5700014D9C00 peerid=0 conflags=100200004020224 inslot=1 inport=1 haunit=1 priority=3 rst_cause="[0x23d7a0a:2358] {peer} TCP RST from remote system" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 I create a custom tcp profile and adjust the "Zero Window Timeout" and "Receive Window" to mitigate the initial download, however, the problem continues ocorring. To do other tests I did a simple configuration in APM, only with LOGON <-> Webtop <-> Network Access <-> ACL (allow all) <-> DHCP. I did the different station tests and the problem persists. tcpdump section of the simple access profile. 23:21:25.800301 IP 10.98.202.150.443 > 10.254.18.236.51786: Flags [P.], seq 306318:307578, ack 647, win 1106, length 1260 out slot1/tmm0 lis=/Common/CS_VVO_VS_APM_ENDPOINT flowtype=64 flowid=5700014E2600 peerid=5700014E5D00 conflags=100200000020224 inslot=3 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:0000FFFF:7F010101 peerlocal=00000000:00000000:0000FFFF:0AFE12EC remoteport=8080 localport=51786 proto=6 vlan=0 23:21:25.816092 IP 127.1.1.1.8080 > 10.254.18.236.51786: Flags [R.], seq 572056, ack 299, win 0, length 0 out slot1/tmm0 lis=_tmm_apm_portal_cache_vip flowtype=71 flowid=5700014E6700 peerid=0 conflags=80800024 inslot=1 inport=1 haunit=0 priority=3 rst_cause="[0x23d7a0a:9397] TCP zero window timeout" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 23:21:25.816093 IP 127.1.1.1.8080 > 10.254.18.236.51786: Flags [R.], seq 572056, ack 299, win 0, length 0 in slot1/tmm0 lis=/Common/CS_VVO_VS_APM_ENDPOINT flowtype=128 flowid=5700014E5D00 peerid=5700014E2600 conflags=80000C24 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:0000FFFF:0AFE12EC peerlocal=00000000:00000000:0000FFFF:0A62CA96 remoteport=51786 localport=443 proto=6 vlan=1414 23:21:25.816162 IP 10.98.202.150.443 > 10.254.18.236.51786: Flags [R.], seq 307578, ack 647, win 0, length 0 out slot1/tmm0 lis=/Common/CS_VVO_VS_APM_ENDPOINT flowtype=64 flowid=5700014E2600 peerid=0 conflags=100200000020224 inslot=1 inport=1 haunit=1 priority=3 rst_cause="[0x23d7a0a:2358] {peer} TCP RST from remote system" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 Any idea how to solve this? Thanks Adriano
