Archive for March, 2015

Understanding F5 BIG-IP Memory Usage

March 30th, 2015 No comments

Any non-tmsh command you use in the HMS bash shell (like free) will generally only relate to the HMS. This is why there is an apparent discrepancy between the tmsh “show system memory” command and the Linux “free” command: Read more…

Categories: linux Tags:

AS/400 Ethernet Type May Cause Problems

March 13th, 2015 No comments

After a core network switch reload, a strange problem occured for 5250 terminal sessions to an AS/400. Sometimes they worked and sometimes not. The same behaviour was observed using ping from within the same IP subnet.

The problem appeared to be the Ethernet framing on the AS/400. The ARP replies kept changing between type SNAP and ARPA. An ARP entry on the core routers showed the mac address of the AS/400 but using Ethernet “SNAP” encapsulation, rather than “ARPA”, the latter of which is the default encapsulation type for the Cisco 6500’s which we were using. Read more…

Case Study: F5 Load Balancer and TCP Idle Timer / fastL4 Profile

March 6th, 2015 No comments

This describes a problem whereby a client connects to a server then waits for a report to complete before retrieving it.  The report took longer than 5 minutes to complete and the TCP session remained idle whilst the client waited.  After a while the TCP connection dropped.

Packet traces were taken at the client, server and intermediate points, which included an F5 load balancer which simply acted as a router. The analysis of the packet traces revealed some interesting things..

What was happening was that the TCP 3-way handshake completed to setup the TCP session.  Then the client sends an HTTP GET requestor method (of TCP segment length 734 bytes) to submit the data, which is then received by a client-side firewall.  The firewall then forwards it onwards towards the server in the direction of an F5 load balancer …

BUT: The HTTP GET doesn’t seem to arrive at the F5.  The server-side firewall however, DID receive the GET and forwards it onto the application server, which then sends back an ACK to the client – which DOES go via the F5. Huh?

It was initially thought that the The F5 therefore saw an ACK packet for a TCP segment that it hasn’t seen, so it sends a RST packet in both directions to tear down the TCP session. This is a little confusing because the TCP session goes through the F5 but the HTTP GET request seemingly bypasses the F5 but does arrive at the server. After a bit of head-scratching and furrowed brows because it made no sense.  The delay. The fact that there clearly wasn’t any asymmetry anyway because the ACK came back via the same path. So why the reset? Read more…

Categories: linux Tags:

Using nMap to Identify Applications

March 3rd, 2015 No comments

nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports.  To see the “real” application execute nMap using the “-sV” option. Read more…