Forum Discussion

grilledcheez_21's avatar
grilledcheez_21
Icon for Nimbostratus rankNimbostratus
Aug 05, 2016

Issues with TCP Fragmentation?

Hello,

 

Implementing a new system here and I seem to be getting issues with handshake failures on the front end of the F5 intermittently (seems to be timing out). The first few transactions fail, but then they start to work after that for a little bit, but after not sending any transactions for a few minutes the first few will fail again. After doing a wireshark capture, I notice there is some fragmenting going on and is probably causing a latency issue. We are using 2-way SSL on the F5 to offload it as there was issues with these terminals doing it themselves, too much latency.

 

In this capture, 172.27.2.74 is the F5 VIP IP. 172.27.128.66 is one of the test terminals.

 

 

I attempt to use the tcp-wan-optimzation on the front end and that seemed to pass all transactions to the servers behind the F5, but then the backend towards the servers were having handshake failures and started causing timeouts. I don't have a capture of the backend.

 

I tried several settings on the backend, using wan optimization on it and just the regular tcp profile, but that didn't seem to help. I'm wondering if I will have to create a custom tcp profile. I'm wondering if I need to address the MTU issue by adjusting the Window setting? I'm not 100% sure what the best way of doing that would be.

 

Any help would be much appreciated.

 

Thanks.

 

7 Replies

  • i would contact support, trouble shooting things like this is tricky on a forum.

     

  • You need to find out what the minimum MSS size is for the path. You can try creating a new profile that defaults from tcp-lan-optimized and adjust the MSS to 1400 or 1360.

     

    Mike

     

    • grilledcheez_21's avatar
      grilledcheez_21
      Icon for Nimbostratus rankNimbostratus

      Seems to be 1460 on the WAN, our server side LAN should be able to handle 1500 no problem.

       

    • Mike_Dayton_108's avatar
      Mike_Dayton_108
      Icon for Nimbostratus rankNimbostratus

      I am with Boneyard on this. There are too many variables. If you have different MSS sizes on different sides of the LTM, you may want to enable proxy mss.

       

      Proxy Maximum Segment - Specifies, when checked (enabled), that the system advertises the same maximum segment size (MSS) to the server as that of the client. By default, this setting is disabled.

       

  • I could see that, been doing a lot of reading on the nagle algorithm, Windowing sizes, and delay acknowledgement, there are a lot of settings to play with in the TCP profiles.

     

  • Looks like the client-side is sending fragmentation needed messages. Can you expand the "Destination Unreachable (Fragmentation Needed)" line to see if there is any information on MSS/MTU ?

     

    Alternatively, you can also lower the "Proxy Maximum Segment" to see if a lower number would work.

     

  • yeah, you can loose yourself quite easily with those and i wonder how many people fully understand everything. as you start with the default and can clearly show the big-ip is doing something odd support is very willing to help in my experience.