Wednesday, September 20, 2006

F5 BIG-IP version 9 sends a RST packet to the client after timeout

The load balancer in production on our site currently leaves the client hanging. After timeout on the server or client, it terminates the connection to the server but doesn't terminates the connection to the client. As a result, the FireFox or IE browser spins its hourglass or whirls forever, as confused the hell out of the unsuspecting non-techie end users.
With that in mind, it is quite a relief to me to see a RST packet received by the client, after 320s of idle time ( thread.sleep(320000)) in a jsp served by Apache/tomcat. Since FireFox actually sent 'keep-alive 300' in the http request header, so I am not so sure the 300s is per FireFox's request, or per F5 Big-IP v9's own hard-coded client (or server) idle timeout. If I recall correctly, Citrix Netscaler EE9000 (version 6.1 and 7.0 beta) defaults to timeout on idle client at 180 seconds and on idle server at 300 seconds.


Jeff Silverman, Linux sysadmin said...

This behavior is by design. The timeout can be changed by going to the local traffic pane, select profiles, go to the protocol menu, select the relevant TCP profile, and find the idle timeout parameter, which by default is 300 seconds. There is also an option, reset on timeout, which sends a RESET packet when the connection times out. It is optional because some protocols have very long idle times, such as Oracles data access protocol. HTTP generally has short connections so it is usually acceptable to close the connection when the server gets a FIN packet.

Please do not discuss these issues in public forums. I have spent several hours going over tcpdumps on your behalf and I find it rather insulting. If you have issues with F5 support, then please take it up with my management, but not in a public forum.

Jeff Silverman, Linux sysadmin said...

I went back and re-read the original post and I realized that I overlooked something: this post is 3 years old! It predates this problem that you and I are working on. So never mind about the insulted part - I realize now that it is not about me at all.

I'm sorry. If there was a way to edit my response, I would.