Forum Discussion
CGNAT with DS-lite and LSN
Hey,
so we have setup DS-Lite with CGNAT according to this in our lab:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/cgn-implementations-11-5-0/14.html
Running version 17.1.1.1.
Interface setup:
ipv4.selfip 192.168.245.245/24(external if, ipv4.vlan)
ipv6_INET-selfip 2001:2040:c000:1:f5f5:f5f5:f5f5:f5f5/64(client facing, ip6_INET.vlan)
ds.selfip 192.0.0.1/24( ds-tunnel)
CGNAT VS created according to above tech-doc.
LSN- Pool created with:
NAPT
Persistance: Address Port
Persistance Timeout: 30 (for testing)
Inbound Connections: Automatic
ICMP Echo: enabled
Egress interfaces: ipv4.vlan
Members list: 172.16.0.4/30
DS-tunnel created with:
Profile dslite
Local Address: same as ipv6_INET-selfip
Remote Address Any
The NAT-process works fine, the traffic comes in and gets NAT:ed to the pool (i.e. 172.16.0.4).
The traffic also reaches the target, in this case 192.168.245.240. This endpoint in turn has a return-route for traffic back to the F5 for the 172.16.0.4/30 network. So it responds to the traffic, however here is where we hit the curb. The F5 simply resets the traffic once recieving the syn ack, "internal error sending packet to peer". So it's like it has forgotten the fact that it did the NAT. However when verifying "tmsh show sys connection all-properties" we can see both the IPv6 and IPv4 connections.
Does anyone have any tips and tricks for this? Are we missing something?
/Ted
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com