sporadic user authenication issues

Dominique Petitpierre Dominique.Petitpierre at unige.ch
Thu Feb 19 15:58:03 EST 2015


On 02/18/2015 02:24 AM, Rhian Resnick wrote:

> Check the tcp idle parameters in this document might help.
> http://markgamache.blogspot.com/2010/12/tuning-f5-big-ip-performance-to-ruin.html

In principle the issue mentioned in that document should not occur in
recent version of F5 BIG-IP LTM if the virtual server's "Source Port"
parameter is not set to "Preserve Strict".

For LTM version 11.5.0 and higher you might be affected by this
vicious "bug":

In our case it caused health monitors to fail sporadically and mark
"down" pool members for a very short time, then service failover to
another node would break the current TCP sessions, which might go
unnoticed for some time by waiting clients.
A clue is unexplained monitor quick "down"/"up" events in F5's /var/log/ltm,
and also SYN->, SYN/ACK<-, RST/ACK-> sequences in packet traces when
the TCP port is 54321.
(If they had chosen another more inconspicuous TCP port number than
54321 I might not have been intrigued and could be still searching for
the sporadic connection reset cause ...)

Mr Dominique Petitpierre, user=Dominique.Petitpierre domain=unige.ch
IT Division, University of Geneva, Switzerland

More information about the users mailing list