Forum Discussion
meena_60183
Nimbostratus
NimbostratusBigIP as def. gw - wildcard VS does not help
Hi All,
I have a strange problem. I have one external vlan and several internal vlans configured on the BigIP.
External vlan is 31. I have internal vlans 160, 801, 38 and several others configured all with self IPs. Vkan 801 is 10.22.0.0/22. I configured 2 web servers (IP of 10.22.3.34 and 35) on the LTM and since the application needs visibilty of client IPs, I changed the default gateway to BigIP.
The LTM traffic works fine but RDP traffic and other mgmt. traffic is failing.
After looking through this forum, I configured a wildcard virtual server 0.0.0.0/0.0.0.0 with fastL4 profile and enabled loose initiation and loose close for all VLANs and for all protocols.
I tried oings but some posts mentioned that ICMPs do not work even though "all protocols: is turned on. I never thought ICMPs would fail beacuse of asymmetric routing.
So, I tried "telnet 10.22.3.34 3389" from a vlana 160 machine which is 10.249.160.165.
The default gateway of 10.249.160.165 is the router.
The default gateway of 10.22.3.34 is the BigIP.
The request goes through the router for vlan 160 and the return traffic comes via the BigIP. But the BigIP is sending a reset and the FastL4 with loose initiation and loose close does not seem to work. Here are the tcpdumps on BigIP on vlan801 interface
09:07:41.250179 10.22.3.34.3389 > 10.249.160.155.56168: S 3119932017:3119932017(0) ack 2663136440 win 64240 (this is the syn ack, syn did not go through F5)
09:07:41.250184 10.249.160.155.56168 > 10.22.3.34.3389: R 1:1(0) ack 1 win 0 (DF) (this is the reset and the source MAC address shows the F5's MAC)
The following is the retries.
09:07:44.619218 10.22.3.34.3389 > 10.249.160.155.56168: S 3120856211:3120856211(0) ack 2663136440 win 64240
09:07:44.619226 10.249.160.155.56168 > 10.22.3.34.3389: R 1:1(0) ack 1 win 0 (DF)
I am not seeing any traffic on vlan 160.
I thought the loose close/initiation should allow this SYN-ACK traffic even though it did not see the SYN traffic. Isn't it? Then why is the BigIP sending a reset ack?
Any help would be appreciated.
thanks,
Meena
- If the BIG-IP is going to see (e.g.) the SYN for a connection on one vlan, and the SYN-ACK on another, then you might try setting the DB key "Connection.VlanKeyed" to disable.
meena_60183The problem is that SYN goes through the router and SYN-ACK comes through BigIP. I still went ahead and did the "b db Connection.VlanKeyed disable" command but that did not help either.
10.249.160.155 server sends the SYN to the router (on vlan 160 interface) which gets routed through vlan801 interface to the server 10.22.3.34
Server 10.22.3.34 sends the SYN-ACK reply to vlan801 interface on the BigIP but the vlan 160 interface on BigIP sends a reset.
Meena- meena_60183F5 support helped resolve this problem.
When I created a wildcard VS, I created a host VIP of 0.0.0.0/255.255.255.255 and changed it back to network VIP of 0.0.0.0/0.0.0.0.
The changes did not take effect for some reason. I had to delete the wildcard VS and create a new one with network of 0.0.0.0/0.0.0.0 to begin with.
