Forwarding TCP RST on VS with loose-init?

Question

OK. I think there's a change between 11.2.1 and 11.4.1 on forwarding of tcp resets for connections NOT in the connection table across a network VS...&nbsp;
Unfortunately, I don't have an 11.2.1 box handy to verify... But have discovered (After users reported issues following an upgrade from 11.2.1HF6 to 11.4.1HF2) that if a TCP connection is NOT in the connection table but the VS being uised has loose-init enabled, then the RST WILL NOT be forwarded to the destination.
Any other packet will hit the loose-init and be forwarded, causing the connection table entry to be added once more. But if the connection goes idle, and the remote end RESETS the tcp connection without a FIN/FIN-ACK/ACK sequence (Which appears to be the method for closing an idle connection to Win2008 LDAP) then the client never gets the reset... And so is left with a hanging tcp connection...&nbsp;
Anyone else seen this? And does anyone know if this was the same behaviour in 11.2.1HF6? &nbsp;
H&nbsp;

nitass · Answer

i do not have 11.2.1 and 11.4.1 but it seems it (reset) is forwarded in 10.2.4 but 11.5.0.
this is 10.2.4.
root@ve10(Active)(tmos) show sys version|grep -A 6 Main\ Package
Main Package
  Product  BIG-IP
  Version  10.2.4
  Build    817.0
  Edition  Hotfix HF7
  Date     Mon May 20 15:08:56 PDT 2013

root@ve10(Active)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:any
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    snat automap
    translate-address disabled
    translate-port disabled
}
root@ve10(Active)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    loose-initialization enabled
    reset-on-timeout disabled
}

root@ve10(Active)(tmos) show sys connection cs-server-port 80
Sys::Connections
Total records returned: 0

[root@ve10:Active] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:03:59.752471 IP 200.200.200.101.1579 &gt; 172.28.24.1.80: R 903943335:903943335(0) win 512 in slot1/tmm0 lis=
23:03:59.752550 IP 172.28.24.15.1579 &gt; 172.28.24.1.80: R 903943335:903943335(0) win 512 out slot1/tmm0 lis=fwd

nitass · Answer

and this is 11.5.0.
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.5.0
  Build    0.0.221
  Edition  Final
  Date     Fri Jan 17 15:53:04 PST 2014

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    loose-initialization enabled
    reset-on-timeout disabled
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection cs-server-port 80
Sys::Connections
Total records returned: 0

[root@ve11a:Active:In Sync] log  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:24:32.651933 IP 200.200.200.101.2702 &gt; 172.28.24.1.80: R 218255140:218255140(0) win 512 in slot1/tmm0 lis=
07:24:33.651106 IP 200.200.200.101.2703 &gt; 172.28.24.1.80: R 2115481654:2115481654(0) win 512 in slot1/tmm1 lis=
07:24:34.653423 IP 200.200.200.101.2704 &gt; 172.28.24.1.80: R 839077725:839077725(0) win 512 in slot1/tmm0 lis=

hamish · Answer

Yeah... I wonder if it changed in 11.3 or 11.4...&nbsp;

nitass · Answer

i think 11.3.
[root@ve10:Active:Standalone] config  tmsh show sys version|grep -iA 6 main\ package
Main Package
  Product  BIG-IP
  Version  11.3.0
  Build    3144.0
  Edition  Hotfix HF8
  Date     Thu Oct  3 18:22:28 PDT 2013

[root@ve10:Active:Standalone] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:52:02.019072 IP 200.200.200.101.1126 &gt; 172.28.24.1.80: R 989778309:989778309(0) win 512 in slot1/tmm0 lis=
18:52:03.020870 IP 200.200.200.101.1127 &gt; 172.28.24.1.80: R 1181986956:1181986956(0) win 512 in slot1/tmm0 lis=
18:52:04.022056 IP 200.200.200.101.1128 &gt; 172.28.24.1.80: R 692961061:692961061(0) win 512 in slot1/tmm0 lis=

Forum Discussion

Forwarding TCP RST on VS with loose-init?

4 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

X-Forwarded-For on L4 VS

F5 DNS Forwarding

TCP Option 28 X-Forwarded-For Header

Nodes forwarding