Forum Discussion
John_Krum
Cirrus
CirrusCan you stop RST from being sent by VIP
I work for a large regional public transportation company. We are in the beginning process of rolling out phones with a VoIP over the top application on them. This will eliminate the need for radios ...
John_KrumCirrus
CirrusI should have included the initial SYN. Phone sends the SYN, VIP responds back RST ACK.
Kevin_Stewart
Employee
EmployeeOkay, so then the VIP itself is sending a RST after the client's initial SYN (never completing the client side 3WHS).
You said the VIP is UDP:53, but the client is trying to connect over TCP:853. That'd explain the RST.
Proxying DNS over TLS Queries to Traditional DNS: https://clouddocs.f5.com/training/community/dns/html/class5/module2/module2.html
- John_Krum
O.K. I see where you are going with this. I was looking to stop the RST packets, just dropped. You are looking at it from the perspective of terminating TLS on the F5 and passing upd 53 to the pool.
- Kevin_Stewart
At the very least, you have a VIP with the correct IP, but wrong port. That's what is causing the RST response.
- Kevin_Stewart
I'll add, as the RST is not specifically coming from the VIP, since that VIP isn't listening on the correct port, you'd likely need something global to control behavior. There are also a few additional options:
- AFM (Advanced Firewall Manager) could be employed in a Global scope to discard any traffic that does not match the listening port(s).
- For simpler tasks, a packet filter rule could be used.
- Packet Filtering: enabled
- Unhandled Packet Action: Discard
- Rules
- Action: Accept
- VLAN / Tunnel: * All
- Filter Expression: { dst port 53 }
You'll need to tweak the packet filter rules to your environment, but this could effectively be used to discard any traffic coming to the BIG-IP that doesn't match a listening port.