Hello community! I'm qualifying an LTM (VE) 11.2.0 for web loadbalancing, and trying to find a solution for this case: Real web server force connection to close for each call to a very common ressource (because it's does not send Content-Length header, neither chunked, I cannot change this). Is there a way to keep connection alive on the client side, and ask to the device to handle this case ? I also try to force the rechunk, but the connection is also closed. I can passthrough this issue but using http compression for example, but it is not what I'm looking for... I will be happy if someone can help to find a solution for this case. Thanks

have you used oneconnect profile?

Yes I'm using a OneConnect profile (I've also tried disabling OneConnect...)

is connection forced to close by connection close http header from server? if so, doesn't oneconnect profile help? or did i misunderstand? no oneconnect [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 profiles { http {} tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } connection 1 is client-side (between client and bigip) and connection 2 is server-side (between bigip and server) [root@ve10:Active] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.19.251(45893) <-> 172.28.19.79(80) 1346681560.3245 (0.0009) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(45893) <-> 200.200.200.101(80) 1346681560.3265 (0.0009) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- 1346681560.3275 (0.0010) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 14:27:29 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 1346681560.3275 (0.0030) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 14:27:29 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- when no connection, FIN is sent from server (in server-side) to client (in client-side) 2 1346681560.3275 (0.0000) S>C TCP FIN 1 1346681560.3275 (0.0000) S>C TCP FIN 1 1346681560.3285 (0.0010) C>S TCP FIN 2 1346681560.3286 (0.0010) C>S TCP FIN

with oneconnect [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 profiles { http {} oneconnect {} tcp {} } } [root@ve10:Active] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.19.251(45894) <-> 172.28.19.79(80) 1346681818.7056 (0.0011) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(45894) <-> 200.200.200.101(80) 1346681818.7067 (0.0010) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- 1346681818.7075 (0.0007) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 14:31:48 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 1346681818.7075 (0.0019) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 14:31:48 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 X-Cnection: close Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- with oneconnect, fin in server-side is not sent to client-side 2 1346681818.7075 (0.0000) C>S TCP FIN 2 1346681818.7075 (0.0000) S>C TCP FIN 1 1346681818.7086 (0.0011) C>S TCP FIN 1 1346681818.7086 (0.0000) S>C TCP FIN

Here is my settings: root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) show running-config ltm virtual ltm virtual MYVIRTUAL { destination 192.168.0.85:http ip-protocol tcp mask 255.255.255.255 pool MYPOOL1 profiles { http { } oneconnect { } tcp { } } snat automap source-port change translate-port disabled vlans-disabled } root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) show running-config ltm pool ltm pool MYPOOL1 { allow-nat no members { SERV1:http { address 192.168.0.105 session monitor-enabled state up } } monitor http_xxxx } [root@bigip1:Active:Standalone] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 192.168.90.124(42062) <-> 192.168.0.85(80) 1346687504.8171 (0.1332) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Host: www.testdomain.com Accept: */* Connection: keep-alive --------------------------------------------------------------- New TCP connection 2: 192.168.0.83(6369) <-> 192.168.0.105(80) 1346687504.8183 (0.0011) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Host: www.testdomain.com Accept: */* Connection: keep-alive X-Forwarded-For: 192.168.90.124 --------------------------------------------------------------- 1346687504.8257 (0.0074) S>C --------------------------------------------------------------- HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 03 Sep 2012 15:51:45 GMT Server: Microsoft-IIS/6.0 Set-Cookie: CFID=26750906;expires=Wed, 03-Oct-2012 15:51:45 GMT;path=/ Set-Cookie: CFTOKEN=65834896;expires=Wed, 03-Oct-2012 15:51:45 GMT;path=/ location: /infos/index.cfm Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 2 1346687504.8258 (0.0000) S>C TCP FIN 1346687504.8258 (0.0087) S>C --------------------------------------------------------------- HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 03 Sep 2012 15:51:45 GMT Server: Microsoft-IIS/6.0 Set-Cookie: CFID=26750906;expires=Wed, 03-Oct-2012 15:51:45 GMT;path=/ Set-Cookie: CFTOKEN=65834896;expires=Wed, 03-Oct-2012 15:51:45 GMT;path=/ location: /infos/index.cfm Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 1 1346687504.8258 (0.0000) S>C TCP FIN 1 1346687504.9656 (0.1398) C>S TCP FIN 2 1346687504.9657 (0.1399) C>S TCP FIN Server close connection first...

F5 LTM (VE) - KeepAlive even if real server close connection

16 Replies

Thomas_Schocka1
Altocumulus
Sep 04, 2012
Erlo,

FYI:

I posted at 05 - right before you just did - when you posted at 06, so you might have missed it if you don't have notifications active.
fabianlumy
Nimbostratus
Sep 04, 2012
@Thomas Schockaert: thanks for your answer. Actually, since the F5 doesn't fill a "Content-Length" header, there is no other possibility than closing the connection, since the client consider the content of the response until the end of connection. In the traces I've included, the "tcp end" to the final client first come from F5.

I think that playing with iRule won't give my a workarround for this case ?

nitass

Employee

Sep 04, 2012

i agree with you that the problem is from missing content-length header. can you try something like this?

what i want to do is to use vip targeted vip. the front one uses oneconnect profile and call the back one. the back vip uses stream profile with dummy source/target and load balance traffic to pool. the stream profile will force bigip to add content-length header in response.

e.g.

[root@ve10:Active] config  b virtual front list
virtual front {
   snat automap
   destination 172.28.19.79:80
   ip protocol 6
   rules frontrule
   profiles {
      http {}
      oneconnect {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule frontrule list
rule frontrule {
   when CLIENT_ACCEPTED {
        virtual back
}
}
[root@ve10:Active] config  b virtual back list
virtual back {
   snat automap
   pool foo
   destination 1.1.1.1:80
   ip protocol 6
   profiles {
      http {}
      mystream {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b profile mystream list
profile stream mystream {
   defaults from stream
   source "aaa"
   target "bbb"
}

nitass

Employee

Sep 04, 2012

this is tcpdump.

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 172.28.19.251(46046) <-> 172.28.19.79(80)
1346770377.3176 (0.0011)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
Connection: keep-alive

---------------------------------------------------------------

New TCP connection 2: 172.28.19.251(46046) <-> 1.1.1.1(80)
1346770377.3177 (0.0000)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
Connection: keep-alive

---------------------------------------------------------------

New TCP connection 3: 200.200.200.10(46046) <-> 200.200.200.101(80)
1346770377.3185 (0.0007)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
Connection: keep-alive

---------------------------------------------------------------

1346770377.3197 (0.0011)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Sep 2012 06:59:04 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26760493;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Set-Cookie: CFTOKEN=85662049;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Content-Type: text/html; charset=UTF-8

---------------------------------------------------------------

3    1346770377.3197 (0.0000)  S>C  TCP FIN
1346770377.3197 (0.0020)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Sep 2012 06:59:04 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26760493;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Set-Cookie: CFTOKEN=85662049;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

0

---------------------------------------------------------------

2    1346770377.3197 (0.0000)  S>C  TCP FIN
1346770377.3198 (0.0021)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
X-Cnection: close
Date: Tue, 04 Sep 2012 06:59:04 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26760493;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Set-Cookie: CFTOKEN=85662049;expires=Thu, 04-Oct-2012 06:59:04 GMT;path=/
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

0

---------------------------------------------------------------

2    1346770377.3198 (0.0000)  C>S  TCP FIN
3    1346770377.3198 (0.0000)  C>S  TCP FIN
1    1346770377.3215 (0.0017)  C>S  TCP FIN
1    1346770377.3215 (0.0000)  S>C  TCP FIN

fabianlumy
Nimbostratus
Sep 12, 2012
@nitass:

I've tested your example with the virtual back, and big thanks, it works as expected :o)

Thank you !
TMAdmin
Nimbostratus
Mar 23, 2018
Hi,

I have a very similar (if not identical) situation and would like to try this solution too.

As Erlo stated, he managed to get this to work.

Erlo, will you be so kind to put your HTTP::Response iRule which replaced the "Connection: Close" into "Connection: Keep-Alive"?

Also, will this iRule be applied on the Front VIP or on the Back end VIP?

Forum Discussion

F5 LTM (VE) - KeepAlive even if real server close connection

16 Replies

Recent Discussions

Provisioning r2600 equipment

Block CBC

active/active Support Declarative Onboarding

Error while running ansible

URL

Related Content

pool members can't connect to another Virtual Server

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

F5 Distributed Cloud Origin Server Subset Rules

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

Virtual server connection limit with HTTP response