Asymmetric routing after software-update not working anymore

We have performed a software update from 13.1.1.5 to 13.1.3.2 on a BIG-IP 4000S.

After this we noticed that access to a server is not working anymore (it was working with the old version).

Following some details about the configuration:

• The server, FW and the BIG-IP have IPs in the same VLAN.
• The FW is normally the main Layer3-hop in this VLAN.
• As the application on the server can not work with SNAT, this server has its default gateway pointing to the BIG-IP.
• The BIG-IP itself has its default gateway pointing to the FW.
• We have a forwarding VS configured with a fastL4 profile and both "Loose Initiation" and "Loose Close" options enabled.
• This configuration on the BIG-IP is part of a Route-Domain and separated via a partition (this partition is assigned to the Route-Domain).

Now we have for example the following use-case:

• We want to start a RDP-session to this server from a hopping station.
• The "request"-traffic is going via the FW and from there directly to the server.
• But due to the default gateway pointing to the BIG-IP, the "response"-traffic is going via the BIG-IP.
• When starting a tcpdump we see two entries:

IN s1/tmm2 : 3389 → 55964 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64000 Len=0 MSS=1460 WS=1 SACK_PERM=1
OUT s1/tmm2 : 31463 → 55964 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64000 Len=0 MSS=1460 WS=1 SACK_PERM=1

• When checking the MAC-addresses of the outgoing paket, this is the one from the FW.

Please correct me if I'm wrong, but this looks for me that the paket reaches the BIG-IP and will be routed/forwarded correctly.

How can we further analyze this? Any idea if this really belongs to the software-update?

The FW-team mentioned that they have not performed any changes in that time, but it's not 100% proven 😉

Do you need any further information/details?

Thank you for your help!

Ciao Stefan 🙂