Forum Discussion

CSA's avatar
CSA
Icon for Nimbostratus rankNimbostratus
Jun 08, 2010

TCP Window Full messages sent from BigIPs

Hi, I've a BigIP LTM 1500 cluster runing 9.4.1 (I have the same problem with another cluster running 10.2.0 on 6800 HW). I have a firewall cluster in front of my BigIPs. Here is the situation: - a client (1.1.1.1) connects to a public IP address (2.2.2.2) defined on the firewall. Traffic is NATed to a private BigIP VIP 10.10.10.10. I have a pool defined for the virtual server listening to this address with two servers behind (web servers). The traffic coming to the BigIP is the following one. PACKET 1 ======== Source: 1.1.1.1 (public IP address) Source port: 5555 (for example) Destination : 10.10.10.10 (private IP address) Destination port : 80 (http) - everything works fine, meaning I don’t have any complaints from users regarding the application itself - *sometimes* (for some "PACKET 1"), I have this kind of logs (dropped) on the firewall: PACKET 2 ======== Source: 10.10.10.10 (same private IP address as above) Source port: 80 (destination port is now source port) Destination : 1.1.1.1 (public IP address issuing the request) Destination port : 5555 (source port is now destination port. In the network dump I did, I saw always 4 identical packets like "PACKET 2" every exactly 64 seconds. All of them are marked as "TCP Window Full" in my sniffer. The first is sent a couple of minutes after the initial http request "PACKET 1", usually between 1 and 3 minutes. I have the wan optimized tcp profile on the client side of my virtual server, and the lan optimized tcp profile on the server side. Anyone know what could cause those packets to be sent ? Could it be related to some tcp settings on the BigIPs (like Proxy buffer, MSS, or windows options) ? Thanks!
config
design

3 Replies

Sort By
  • CSA's avatar
    CSA
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2010
    Same thing with better formating...

     

    ===============================================================================================

     

     

    Hi, I've a BigIP LTM 1500 cluster runing 9.4.1 (I have the same problem with another cluster running 10.2.0 on 6800 HW). I have a firewall cluster in front of my BigIPs.

     

     

    Here is the situation:

     

     

    - a client (1.1.1.1) connects to a public IP address (2.2.2.2) defined on the firewall.

     

     

    Traffic is NATed to a private BigIP VIP 10.10.10.10. I have a pool defined for the virtual server listening to this address with two servers behind (web servers).

     

     

    The traffic coming to the BigIP is the following one.

     

     

    PACKET 1

     

    ========

     

    Source: 1.1.1.1 (public IP address)

     

    Source port: 5555 (for example)

     

    Destination : 10.10.10.10 (private IP address)

     

    Destination port : 80 (http)

     

     

    - everything works fine, meaning I don’t have any complaints from users regarding the application itself

     

    - *sometimes* (for some "PACKET 1"), I have this kind of logs (dropped) on the firewall:

     

     

    PACKET 2

     

    ========

     

    Source: 10.10.10.10 (same private IP address as above)

     

    Source port: 80 (destination port is now source port)

     

    Destination : 1.1.1.1 (public IP address issuing the request)

     

    Destination port : 5555 (source port is now destination port.

     

     

    In the network dump I did, I saw always 4 identical packets like "PACKET 2" every exactly 64 seconds. All of them are marked as "TCP Window Full" in my sniffer.

     

     

    The first is sent a couple of minutes after the initial http request "PACKET 1", usually between 1 and 3 minutes. I have the wan optimized tcp profile on the client side of my virtual server, and the lan optimized tcp profile on the server side.

     

     

    Anyone know what could cause those packets to be sent ?

     

    Could it be related to some tcp settings on the BigIPs (like Proxy buffer, MSS, or windows options) ?

     

     

    Thanks!
  • SLowes_85801's avatar
    SLowes_85801
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2011
    It maybe related to TCP Window Scaling - some routers/firewalls/etc can break connectivity for TCP sessions with window scaling enabled... usually old equipment or through misconfiguration.

     

     

    You could try disabling the WAN optimized profile on the F5 VIP (or setup a separate VIP for testing perhaps). Or if you have access to one of the clients which is not working, try disabling Window Scaling on that as a test.