Randomized Ports

Question

I have been working an issue with a client regarding a high number of reported errors connecting to a production pool.  After several monitors and lots of trial and error, we discovered that it was related to the source port setting in the VS.  We had ours set to change and not preserve.  It seems that F5 will timeout a used port and reuse it much faster then a windows server.  This was causing the windows server to drop the connection and, of course, not log that it did so.  &nbsp;
&nbsp;My question is this:  Is there a way to change the F5 timeout to match Microsoft's?&nbsp;

hooleylist · Answer

Which LTM version are you running?  What are you actually seeing in the tcpdumps?  Are you using SNAT automap or a SNAT pool?  If a SNAT pool, is it shared across multiple VIPs with the same server pools? 
&nbsp;  
&nbsp; Aaron

michael_koyfma1 · Answer

That behavior does not make much sense.  When your source port setting is set to change, we will potentially change the source port - but when the connection is finished, it should be properly torn down between LTM and the CAS server....  Like Hoolio said, would be helpful to know versions of F5 gear and Windows systems in use - but sounds like a collision with TIME_WAIT state on the servers...  This SOL has more info on best settings to accommodate for it - unfortunately, no matter what we do with our proxy settings, we can't control how long the server will keep the closed TCP connection in the TIME_WAIT state, and if you have a lot of traffic and port reuse, you could have collisions - so in SNAT situations, it's best to set it to Change for both Virtual and SNAT - is that what your current settings are?

valentine_96813 · Answer

We are using 3600 and 8900s running 10.1 HF2.  We SNAT to an Server VLAN IP on a VS by VS basis.  Basically, if a VS is a Prod or DEV VS it will be in the same FE VS range, but the SNAT for each would be different being that the BE devices are on different networks.  Each FE VS has its own corresponding unique SNAT just like its listening IP. 
&nbsp;  
&nbsp; We found this issue primarily on our Windows boxes using sniffers and the NMAP command.  What we would see, is from the SNAT address a number or requests preserving the client ports.  Using NMAP, we would see the number of open ports on the server.  Occasionally, under load, we would see a request coming in to the server but no ack.  Using NMAP, we would see that that paticular port would already be considered open and the server would ignore the traffic and the user would receive a "page cannot be displayed" or "404".  F5 support had us turn of preserver ports and the problem went away. 
&nbsp;  
&nbsp; What I am looking for, is some other way to address this problem that would allow me to turn that function back on.

Forum Discussion

Randomized Ports

3 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Random String Generators

Change original source IP to random in ASM logs

random letter generator

Random does not Necessarily Mean Random

Response port masking