AFM and asymmetric routing

Noctilucent

Jun 12, 2015

what version are you using?

there is change in behavior in 11.5.1 hf4 and 11.6.0. ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows.

now, afm checks packet according to loose-initiation setting.

 version

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version | grep -A 6 Main
Main Package
  Product     BIG-IP
  Version     11.6.0
  Build       4.0.420
  Edition     Hotfix HF4
  Date        Mon Feb 16 02:21:25 PST 2015

 loose-initialization is not enabled (default)

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4 { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:20:47.455508 IP 100.100.100.1.1654 > 200.200.200.101.80: . ack 226388079 win 512 in slot1/tmm0 lis=
04:20:48.456955 IP 100.100.100.1.1655 > 200.200.200.101.80: . ack 399103005 win 512 in slot1/tmm1 lis=
04:20:49.458900 IP 100.100.100.1.1656 > 200.200.200.101.80: . ack 2097896011 win 512 in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:20:43 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:43 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:36273

 loose-initialization is enabled

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4_stateless { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastL4_stateless
ltm profile fastl4 fastL4_stateless {
    app-service none
    loose-close enabled
    loose-initialization enabled
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=0 win=0 rtt=10.6 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=1 win=0 rtt=2.0 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=2 win=0 rtt=3.1 ms

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.0/5.2/10.6 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:33:55.703826 IP 100.100.100.1.2414 > 200.200.200.101.80: . ack 190418598 win 512 in slot1/tmm0 lis=
04:33:55.705975 IP 200.200.200.222.2414 > 200.200.200.101.80: . ack 190418598 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:55.710461 IP 200.200.200.101.80 > 200.200.200.222.2414: R 190418598:190418598(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:55.710501 IP 200.200.200.101.80 > 100.100.100.1.2414: R 190418598:190418598(0) win 0 out slot1/tmm0 lis=/Common/fwd
04:33:56.702916 IP 100.100.100.1.2415 > 200.200.200.101.80: . ack 1485547836 win 512 in slot1/tmm1 lis=
04:33:56.703186 IP 200.200.200.222.2415 > 200.200.200.101.80: . ack 1485547836 win 512 out slot1/tmm1 lis=/Common/fwd
04:33:56.704113 IP 200.200.200.101.80 > 200.200.200.222.2415: R 1485547836:1485547836(0) win 0 in slot1/tmm1 lis=/Common/fwd
04:33:56.704125 IP 200.200.200.101.80 > 100.100.100.1.2415: R 1485547836:1485547836(0) win 0 out slot1/tmm1 lis=/Common/fwd
04:33:57.705045 IP 100.100.100.1.2416 > 200.200.200.101.80: . ack 436813289 win 512 in slot1/tmm0 lis=
04:33:57.705231 IP 200.200.200.222.2416 > 200.200.200.101.80: . ack 436813289 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:57.706718 IP 200.200.200.101.80 > 200.200.200.222.2416: R 436813289:436813289(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:57.706729 IP 200.200.200.101.80 > 100.100.100.1.2416: R 436813289:436813289(0) win 0 out slot1/tmm0 lis=/Common/fwd

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:33:49 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:33:49 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:57409
Jun 12 04:33:55 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2414","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2414","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cc","unknown"
Jun 12 04:33:56 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2415","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2415","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00010000000000cc","unknown"
Jun 12 04:33:57 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2416","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2416","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cd","unknown"
Jun 12 04:34:05 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:34:05 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:57409

Forum Discussion

AFM and asymmetric routing

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

Related Content

VLAN Group and Asymmetric Deployment

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

F5 BIG-IP AFM and FireMon Integration Guide

Enriching AFM with public domain Threat Intelligence

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS