[f-nsp] Serveriron Session Timeout (delayed FIN ACK)
Nils Domrose
nils at domrose.net
Sun Sep 7 07:20:13 EDT 2008
Hi,
while we introduced a new frontend firewall between out Frontend Apache
server and out Backends, I experienced a strange behavior:
in front of out Backend Servers we have a pair of SI4G running 10.2.0
Software and source-nat.
Frontend Server=Client
Backend Server=Real Server
On the Firewall I can see frequent blocks of FIN ACK packets (Client to
VIP) and RST Packets (Real! Server to Client).
After running multiple snoops the picture looks like this:
1. Client establishes a connection to the VIP (HTTP 1.1).
2. Multiple requests are served via the connection.
3. After a while the connection is idle (and all Packets are ACK'ed
4. After 15 seconds idle as configured on apache side, the backend
server sends a FIN (ACK) to close the connection
5. The Frontend server sends immediately an ACK
now the interesting part starts:
6. after 80+ seconds the Frontend Server send the FIN ACK
7. the Packet is not NAT'ed any more when reaching the real server
(Source: Frontend Server -> Dest: real server).
also due to the missing NAT the port number does no longer match the
port number of the previous connection from real server point of view.
(the previous connection was source-nat IP:nated port -> real server:9080
8. The real server sends a RST (due to the unknown TCP connection) to
the Frontend Server
Of cause 6 to 8 happen several times afterwards since the frontend
server never receives an answer for the FIN ACK and retransmits the FIN ACK.
I wonder why apache as a client (sometimes) needs more than 80 seconds
to send a final FIN ACK but i have not found any information that this
is wrong/ not allowed. We run Apache 2.0 using mod rewrite (we also
tested mod proxy) in frontend and backend.
Does anyone have an idea what timeout value is responsible for the
deletion of the Serveriron session and is causing the source NAT to fail?
When does this timeout start (i guess once the Serveriron recieves the
first FIN)
And last but not least is this configurable ?
Any hint is welcome!
Nils
More information about the foundry-nsp
mailing list