Symptoms

When a pool member is detected down, the standby system holds a mirrored connection until the TCP profile idle-timeout expires even when the FIN packet is properly mirrored to the Standby system from the Active system. The Active peer, on the other hand, properly closes the connection after the 4-way closure.

Impact

Mirrored connection remains on the Standby system until the idle timeout expires

Conditions

- Connection mirroring is enabled on a virtual server - Pool member status changes to unavailable on the standby before it becomes active (i.e., pool member monitor down occurs, or pool member is manually disabled) - HTTP(S) virtual server has an iRule which utilizes HTTP::close command, such as below. --------- ltm rule /Common/my_f5_rule { when HTTP_REQUEST { pool f5_pool } when HTTP_REQUEST_RELEASE { set pool "[LB::server pool]" set pool_name [substr $pool 8 ] set address "[LB::server addr]" set port "[LB::server port]" if {[LB::status pool $pool_name member $address $port] ne "up"} { clientside { HTTP::close } } } } ---------

Workaround

Do not use iRule with HTTP::close if possible Alternatively use a smaller idle timeout and when manually shutting down a pool member, do so on the active first. Another alternative is to have this type of rule: --------- ltm rule /Common/my_f5_rule { when HTTP_REQUEST { pool f5_pool } when HTTP_REQUEST_RELEASE { set pool "[LB::server pool]" set pool_name [substr $pool 8 ] set address "[LB::server addr]" set port "[LB::server port]" if {[LB::status pool $pool_name member $address $port] ne "up"} { clientside { HTTP::close } if { [HA::status standby] } { HTTP::header insert "X-a" "dn" } } } } ---------

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips