Got a proposal from one of our devs this AM, who wants to set up the following scenario on an LTM. He proposes a group of clients, all trying almost constantly to connect with a VIP. The VIP allows only one connection to be established at a time, holding it until a client closes the connection or 30sec, whichever comes first. There's no data being sent over this connection, it's essentially being used as a token or signal flag (all the clients that can't get a connection freeze a parallel-processed internal task of some kind until they do make one). He sees this as the fastest way for the parallel process to communicate. Seems fairly straightforward with Connection Limiting and a single box in a pool for the connections to go to. My question is whether there's any way for the LTM itself to hold that connection open for 30sec or until closed by the client, without requiring a server on the other side. I saw an old thread here about using OneConnect, but I don't think that's quite what I'm looking for. Or is it?

Hi Vince, That's an interesting scenerio. Have you looked at throttling http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPRequestThrottle.html http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_throttle_alternative.html http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=11484 I think from here you could Frankenstein together an iRule that will work for you. I hope this helps Bhattman

Thanks for the response - didn't think any kind of iRule fancy-dancing would be required just to allow a single connection at a time (or maybe the 30sec timeout is what raises that bar?). I'm just trying to find out if there's a way to do this solely on the LTM, with no server for the connection to actually go to.

Hi Vince, I think the part which will be difficult is the 30 second to kill a connection w/o using an iRule. Bhattman

Fair 'nuff. But what about the no-server part? Anyone?

The vip has a setting which allows you to enter the amount of connection allowed. Default is 0 which means no limit on connection. You can set that to 1 and that is pretty much the only connection it will at a time. Thanks Bhattman

Hold Connection / No Pool

15 Replies

L4L7_53191
Nimbostratus
Mar 17, 2010
Interesting. I don't expect that on a standard virtual server. Below I do a telnet to my virtual server (a standard HTTP virtual server on port 80). The source IP is 10.100.100.1 and dest is 10.100.100:80

10:34:42.137449 IP 10.100.100.1.4770 > 10.100.100.80.http: S 3192099991:3192099991(0) win 65535

10:34:42.137839 IP 10.100.100.80.http > 10.100.100.1.4770: S 3328880791:3328880791(0) ack 3192099992 win 4380

10:34:42.137898 IP 10.100.100.1.4770 > 10.100.100.80.http: . ack 1 win 65535

So the 3 way handshake is set up. I don't push any data and just let it sit there idle. It stays pinned up, and no RST occurs. 12 or so seconds later I quit my telnet session and we do a graceful close:

10:35:02.970000 IP 10.100.100.1.4770 > 10.100.100.80.http: F 1:1(0) ack 1 win 65535

10:35:02.971151 IP 10.100.100.80.http > 10.100.100.1.4770: . ack 2 win 4380

10:35:02.972023 IP 10.100.100.80.http > 10.100.100.1.4770: F 1:1(0) ack 2 win 4380

10:35:02.972196 IP 10.100.100.1.4770 > 10.100.100.80.http: . ack 2 win 65535

In other words, assuming they're not sending data and you're using a standard tcp profile (I'd expect to see [PSH] in your capture, above) the connection shouldn't reset.

-Matt
spark_86682
Historic F5 Account
Mar 17, 2010
I set up a test VIP with the connection limited to one, and the dev who made the original request just got around to testing. Watching connections via Wireshark, it appears that the LTM is sending a RST almost immediately after finishing the three-way handshake, presumably because there's no pool behind the VIP. Any ideas on what we can do to prevent that?

The easiest thing you can do is add an HTTP profile. Long story short, the TCP profile doesn't wait for any data to tell the TCP proxy in the BIG-IP that a new connection has arrived, so it will try to load-balance it, which will fail (no pool) and reset the connection as you found. HTTP, on the other hand, will wait for an HTTP request before alerting the TCP proxy about a new connection. Since your clients aren't sending any data, it shouldn't hurt anything.
hooleylist
Cirrostratus
Mar 18, 2010
Thanks for clarifying Spark. I also remembered the behavior Matt had described--but I guess that's because I'm normally testing with HTTP VIPs.

Aaron
L4L7_53191
Nimbostratus
Mar 18, 2010
Sure enough. Good catch Spark, I was testing via the exact same method (with an HTTP VS). For posterity, here's the same routine with a vanilla tcp-profile only VS. As soon as the handshake is done the LTM sends a reset, as you describe:

03:22:55.971484 IP 10.100.100.1.gvcp > 10.100.100.2.distinct: S 3698065870:3698065870(0) win 65535

03:22:55.971485 IP 10.100.100.2.distinct > 10.100.100.1.gvcp: S 1871870510:1871870510(0) ack 3698065871 win 4380

03:22:55.971488 IP 10.100.100.1.gvcp > 10.100.100.2.distinct: . ack 1 win 65535

03:22:55.972470 IP 10.100.100.2.distinct > 10.100.100.1.gvcp: R 1:1(0) ack 1 win 4380

-Matt
Vince_Beltz_959
Nimbostratus
Mar 22, 2010
Just wanted to say thanks - adding the HTTP profile is exactly the simple fix I needed, verified w/Wireshark working perfectly. My dev is (very) happy. :-)

Forum Discussion

Hold Connection / No Pool

15 Replies

Recent Discussions

Azure SAML - F5 APM

iRule resulting in too many redirects

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

Related Content

iRule redirect connection to pool on differente port

Current connections vs CLI show sys connections

SNMP Pools

Find connection attempts via source IP

have ssl and non ssl pools (or pool members) for a VS