Forum Discussion

Brett_10751's avatar
Brett_10751
Icon for Nimbostratus rankNimbostratus
Sep 22, 2015

F5 failover from 11.4.0 to 11.6.0 breaks SQL connections - Connection Mirroring or Loose Initiation needed?

I attempted to upgrade from 11.4.0 to 11.6.0. I upgraded standby to 11.6.0 and failed over to it. Many http and https virtual servers continued to work however all http virtual servers that make calls to sql servers in other remote networks failed.

 

Took packet captures of it working on 11.4.0 and of it failing on 11.6.0

 

Working

 

HTTP GET

 

200 OK for some web content

 

200 OK for some web content

 

Back end web server does PSH, ACK to SQL server on SQL Port (Default wildcard vip-fastl4 no connection mirroring)

 

200 OK

 

200 OK

 

F5 Failover from active 11.4.0 to standby 11.6.0 fails for SQL connections - Connection Mirroring or Loose Initiation Needed?

 

Site fully loads and works

 

Not working

 

HTTP GET

 

200 OK for some web content

 

200 OK for some web content

 

Back end web server does SYN to SQL server on SQL port (Default wildcard vip - fastl4 no connection mirroring)

 

SQL Server replies back with RST, ACK

 

Site loads basic shell but none of the sql content

 

I've been told our sql servers used connection pooling which reuses SQL connections instead of opening a new connection for each request

 

To me it seems that when we failover to the new software version the F5 does not have a copy of all of the connections so when the back end web server tries to talk to sql it tries to establish a new tcp session and sql resets it because it already had a connection to reuse

 

So I was thinking maybe this could be fixed a few different ways but need advice on the best way or alternative ideas.

 

  1. Setup connection mirroring on default wildcard vip (This scares me due to F5 articles about possible performance problems

     

  2. Setup separate forwarding vip for each sql server and enable connection mirroring on it

     

  3. Maybe enabling loose initiation on default wildcard virtual server would cause back end web server to continue to issue PSH, ACK instead of SYN for new tcp session

     

I did not have these issues when doing previous upgrades so either SQL design changed or F5 is handling things differently in different software versions. Don't see any posts that are a dead on match for the issue that I have so I'm wondering why I see these issues but others aren't.

 

Thanks for the help

 

2 Replies

  • Just a shot in the dark, but do you have hardware syncookie protection turned on for that wildcard virtual server? And are you seeing anything related to syn cookie activation in the LTM logs?

     

  • So the fastl4 profile has Hardware SYN cookie protection enabled and our B2100 blade is capable of it. When I look at Virtual server statistics SYN status says off, 0 hardware and software SYN accepted but I do have 2.6K and 2.16K under Software SYN rejected. ltm logs show no sign of SYN cookie hardware mode activated or threshold being met