Thursday, 8 August 2019

F5 reset tshoot

The following causes are those of the most generous causes that clients get reset from F5:
1, retransmission 5 times + timeout, reset
2, If F5 does not support any of the SSL versions/ciphers client wants to use, F5 would respond with TCP/RST immediately with reset.
3, ssl handshake timeout by default 10 secs
4,Application caused reset.The simplest is when you close the socket, and then write more data on the output stream. By closing the socket, you told your peer that you are done talking, and it can forget about your connection. When you send more data on that stream anyway, the peer rejects it with an RST to let you know it isn’t listen
5, one arm scenario, vip need have snat configured in case the backend server has default gw bypass f5, it that case, f5 connection towards backend server will timeout, after that f5 will send reset to client side
6, following item5, if automap is configured,  source is translated to self IP on egress interface heading toward servers, if no self ip on that vlan configured on f5, f5 will send reset packet.
7, The Server SSL profile Secure Renegotiate setting is set to Require or Require Strict. The back-end SSL server lacks support for the Transport Layer Security (TLS) Renegotiation Indication Extension
8, HTTP header size exceeded by server,The default maximum allowed header size is 32768 bytes and can be adjusted in either the HTTP or FastHTTP profile
9, HTTP header size exceeded by client, The default maximum allowed header size is 32768 bytes and can be adjusted in either the HTTP or FastHTTP profile
10, When an existing client-side connection has been detached from the server-side connection and reselects a new server, the BIG-IP system sends a TCP RST to the server to close the existing server-side connection. This behavior typically comes from using iRule commands such as LB::reselect.
11, No route to host
12, The BIG-IP system response reset when receives a SYN for either one of the following conditions:
  • A virtual server of type reject. When all pool members are unavailable due to being disabled, forced offline, or down, the BIG-IP RST behavior varies slightly depending on the virtual server type. If the virtual server references a TCP profile (Standard virtual server type), the system allows the three-way TCP handshake to complete before sending the TCP RST to the client. If the virtual server references a FastL4 profile, the system sends a TCP RST packet in response to a connection attempt. The TCP RST packet is sent on the client side of the connection, and the source IP address of the reset is the relevant virtual server IP address.
  • A port that is protected by the Port Lockdown settings on a self IP address
13,  Source port preserver is configured as Preserve Strict
Specifies that the system preserves the value configured for the source port. If the port is already in use by another connection, the system resets the client-side connection.
14, When you create a SNAT or NAT object using the Configuration utility, the default value for the VLAN / Tunnel Traffic setting is ‘* All’which specifies that the SNAT or NAT is enabled on all VLANs or tunnels on the system.
When you create a SNAT or NAT object using the tmsh utility, you must specify the vlans-disabled option and set the vlans option to none to enable the SNAT or NAT object on all VLANs or tunnels on the system.
ltm virtual test { destination 10.128.10.100:http disabled ip-protocol tcp mask 255.255.255.255 pool pool1 profiles { tcp { } } vlans-disabled }

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...