Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP All
Fixed In:
16.1.0
Opened: Sep 17, 2020 Severity: 3-Major
When using the TCP proxy, one side of the proxy (e.g., the server side) may close the connection because of a TCP idle timeout, even though the other side of the proxy is using TCP keep-alive. Keep-alive can be enabled on the TCP profile, but this enables keep-alive packets on all connections using that TCP profile.
If keep-alive is enabled on the TCP profile, all connections associated with the profile will see keep-alive packets originating from the BIG-IP. If keep-alive is not enabled on the TCP profile, BIG-IP will only respond to a keep-alive packet it receives, and will not forward it.
BIG-IP is configured to use TCP in full-proxy mode (not fastL4).
To allow TCP keep-alive to be enabled selectively, alternate virtual servers would need to be created that have custom TCP profiles that enable it. Traffic would need to be selectively steered to the appropriate alternate virtual server.
A new iRule command, TCP::keepalive, is provided. This allows an iRule to make a decision based on criteria (such as client IP, destination port, or other attributes) to selectively enable TCP keep-alive on a connection.