Bug ID 946021: TCP Keep-Alive cannot be selectively enabled

Last Modified: Jul 12, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Fixed In:
16.1.0

Opened: Sep 17, 2020
Severity: 3-Major

Symptoms

When using the TCP proxy, one side of the proxy (e.g., the server side) may close the connection because of a TCP idle timeout, even though the other side of the proxy is using TCP keep-alive. Keep-alive can be enabled on the TCP profile, but this enables keep-alive packets on all connections using that TCP profile.

Impact

If keep-alive is enabled on the TCP profile, all connections associated with the profile will see keep-alive packets originating from the BIG-IP. If keep-alive is not enabled on the TCP profile, BIG-IP will only respond to a keep-alive packet it receives, and will not forward it.

Conditions

BIG-IP is configured to use TCP in full-proxy mode (not fastL4).

Workaround

To allow TCP keep-alive to be enabled selectively, alternate virtual servers would need to be created that have custom TCP profiles that enable it. Traffic would need to be selectively steered to the appropriate alternate virtual server.

Fix Information

A new iRule command, TCP::keepalive, is provided. This allows an iRule to make a decision based on criteria (such as client IP, destination port, or other attributes) to selectively enable TCP keep-alive on a connection.

Behavior Change