Hi Guys, I'm new to F5, and something annoy me i can't find why it happen. My topology: Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions : 1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity. but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ? 2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5. [ip@qa-env ~]$ host google.com 8.8.4.4 ;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453 tcpdump show this 22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27) 22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27) 22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43) 22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43 So the packets goes all good until the return packet back to the F5 and then he alter the port! What am i missing ? *remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example. my Virtuals ltm virtual MNG_ALLOW_ALL_OUT { description "Management Rule - Allow All Traffic Outside" destination 0.0.0.0:any ip-forward mask any profiles { fastL4 { } } translate-address disabled translate-port disabled vlans { DNS_LAN LDAP_LAN RADIUS_LAN } vlans-enabled } ltm virtual MNG_QA_ENV_IN { description "Management Rule - Allow Radius traffic in" destination 100.100.100.0:any ip-forward mask 255.255.255.0 profiles { fastL4 { } } translate-address disabled translate-port disabled vlans { CRS1.WAN CRS2.WAN } vlans-enabled }

OK, I think you should enable the external VLANs on the first Virtual Server and apply a packet filter or iRule to restrict inbound traffic to the 100.x addresses, and the necessary source ports, remove the 100.x Virtual Server. If you don't like the sound of that I'd suggest you create a Virtual Server for each outbound service instead and again, enable on the external VLANs. Make sure in the FastL4 profile you use that Loose Initiation and Loose Close are disabled. Currently, the second more specific VS is handling the return traffic rather than the first VS the outbound connections pass through and this is the cause of your issue.

Thanks for the answer, gonna give it a try. To be honest i'm very unsetisfied with the F5 Firewall handling. since it a "MUST" i guess F5 could have implemented this way better. Where can i find best cases how to handle un-LB traffic. should i open 0.0.0.0/0 and use traffic filter ? any good article about this ? Thanks again.

F5's firewall approach is a bit different as it's based on LTM, it's also pushed as an enterprise (read: internal) firewall rather than an Internet facing one. The latest guide I know of is here: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/7.html. The general approach is to configure specific Virtual Servers for each service you wish to allow and if you take that approach and keep it in mind, you'll be just fine.

Agreed. My issue is with management to the REAL's behind the VIP. Also, for services behind the F5 that wont LB.

Hi, I tried allowing this virtual on the WAN too. no help, still same. (no traffic filtering applied). Also, the fastL4 looks as you asked for. Any other idea ? ltm virtual MNG_ALLOW_ALL_OUT { destination 0.0.0.0:any ip-forward mask any profiles { fastL4-Clear { } } translate-address disabled translate-port disabled vlans-disabled ltm profile fastl4 fastL4-Clear { app-service none defaults-from fastL4 idle-timeout 300 ip-tos-to-client pass-through ip-tos-to-server pass-through keep-alive-interval disabled link-qos-to-client pass-through link-qos-to-server pass-through loose-close disabled loose-initialization disabled mss-override 0 pva-acceleration partial pva-offload-state syn reassemble-fragments disabled reset-on-timeout disabled rtt-from-client disabled rtt-from-server disabled software-syn-cookie disabled tcp-close-timeout 5 tcp-generate-isn disabled tcp-handshake-timeout 5 tcp-strip-sack disabled tcp-timestamp-mode preserve tcp-wscale-mode preserve $ host google.com 8.8.4.4 ;; reply from unexpected source: 8.8.4.464949, expected 8.8.4.453 ;; reply from unexpected source: 8.8.4.464949, expected 8.8.4.453

Forum Discussion

Chura_16140

Nimbostratus

Nov 15, 2012

DNS Query - reply from unexpected source

Hi Guys,

I'm new to F5, and something annoy me i can't find why it happen.

My topology:

Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW

I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions :

1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity.

but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ?

2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5.

[ip@qa-env ~]$ host google.com 8.8.4.4

;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453

tcpdump show this

22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)

22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)

22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43)

22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43

So the packets goes all good until the return packet back to the F5 and then he alter the port!

What am i missing ?

*remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example.

my Virtuals

ltm virtual MNG_ALLOW_ALL_OUT {

description "Management Rule - Allow All Traffic Outside"

destination 0.0.0.0:any

ip-forward

mask any

profiles {

fastL4 { }

}

translate-address disabled

translate-port disabled

vlans {

DNS_LAN

LDAP_LAN

RADIUS_LAN

}

vlans-enabled

}

ltm virtual MNG_QA_ENV_IN {

description "Management Rule - Allow Radius traffic in"

destination 100.100.100.0:any

ip-forward

mask 255.255.255.0

profiles {

fastL4 { }

}

translate-address disabled

translate-port disabled

vlans {

CRS1.WAN

CRS2.WAN

}

vlans-enabled

}

basic

getting started

new to f5

Chura_16140
Nimbostratus
Nov 16, 2012
LOL, Thanks for that :)

Actually i did -i any, and what i saw before the OUT/IN i dont now.

I dont know what to do, i feel stupid :)

1. I wonder, is there more elegant solution for REAL's management ?

2. One more question, i've tried to implement traffic filter. but isnt it statefull ?

I opened NET -> ANY allow and Deny ANY -> NET. and i get filtered.

EDIT:

OK that's getting strange!

If i try many times, something it work... Can i do somekind of virtual debug or i dunno...

$ host godaddy.com 8.8.4.4

Using domain server:

Name: 8.8.4.4

Address: 8.8.4.453

Aliases:

godaddy.com has address 208.109.4.201

;; reply from unexpected source: 8.8.4.462781, expected 8.8.4.453

;; reply from unexpected source: 8.8.4.462781, expected 8.8.4.453

;; connection timed out; no servers could be reached
What_Lies_Bene1
Cirrostratus
Nov 16, 2012
Now that's one of those fundamental basic questions that seem to throw me every now and then. Ignoring the Packet Filter for a moment I'm thinking yes, you're right and actually, the Virtual Server doesn't have to be on the external VLAN, it only needs to be on the VLANs the initiating host can communicate through.

Can you try and remove the Virtual Server from the external VLANs, do a test and do a tcpdump (all VLANs) and see what happens? That's where we should have started I'd say!
Chura_16140
Nimbostratus
Nov 16, 2012
That what i initially did :)

Gonna do that again mate.

P.S i must have the virtual to my lan (100.100.100.0/24) otherwise i can't SSH to the server.
What_Lies_Bene1
Cirrostratus
Nov 16, 2012
I know, sorry, should have done the tcpdump first!

Can you not configure management via another NIC on the server and a network that doesn't pass through the F5?
Chura_16140
Nimbostratus
Nov 16, 2012
Well I need to check, I need my system team to make this.

meanwhile. same error:

]$ host ine.com 8.8.4.4

;; reply from unexpected source: 8.8.4.446021, expected 8.8.4.453

;; reply from unexpected source: 8.8.4.446021, expected 8.8.4.453

tcpdump -nnvvvS -i any host 8.8.4.4

tcpdump: listening on any, link-type EN10MB (Ethernet), capture size 96 bytes

17:08:20.276695 IP (tos 0x0, ttl 64, id 46310, offset 0, flags [none], proto: UDP (17), length: 53) 100.100.100.40.53409 > 8.8.4.4.53: [udp sum ok] 27525+ A? ine.com. (25)

17:08:20.276718 IP (tos 0x0, ttl 63, id 46310, offset 0, flags [none], proto: UDP (17), length: 53) 100.100.100.40.53409 > 8.8.4.4.53: [udp sum ok] 27525+ A? ine.com. (25)

17:08:20.378062 IP (tos 0x80, ttl 49, id 54799, offset 0, flags [none], proto: UDP (17), length: 69) 8.8.4.4.53 > 100.100.100.40.53409: [udp sum ok] 27525 q: A? ine.com. 1/0/0 ine.com. A 75.140.41.225 (41)

17:08:20.378091 IP (tos 0x80, ttl 48, id 54799, offset 0, flags [none], proto: UDP (17), length: 69) 8.8.4.4.46021 > 100.100.100.40.53409: [udp sum ok] UDP, length 41

Again, Same behaviour :(

I dont get it, i'm the only one who try this ? LOL

(cfg-sync Standalone)(/S1-green-P:Active)(/Common)(tmos.ltm.virtual) list MNG_ALLOW_ALL_OUT

ltm virtual MNG_ALLOW_ALL_OUT {

destination 0.0.0.0:any

ip-forward

mask any

profiles {

fastL4 { }

}

translate-address disabled

translate-port disabled

vlans {

RADIUS_LAN

}

vlans-enabled

}

(cfg-sync Standalone)(/S1-green-P:Active)(/Common)(tmos.ltm.virtual) list MNG_RADIUS_IN

ltm virtual MNG_RADIUS_IN {

destination 100.100.100.0:any

ip-forward

mask 255.255.255.0

profiles {

fastL4 { }

}

translate-address disabled

translate-port disabled

vlans {

CRS1.WAN

CRS2.WAN

}

vlans-enabled

}
What_Lies_Bene1
Cirrostratus
Nov 16, 2012
I thought we'd got rid of the second Virtual Server? It shouldn't be required and I wanted to test without it there, can you at least disable it?
Chura_16140
Nimbostratus
Nov 16, 2012
if i'll disable it i can't make the test. i don't have access.

I tried to access from the F5 itself but i can't for some reason.

I've did some tries, and in one test i got reply, and second later the error.

As you can see, first request is OK (reply back from src port 53)

$ host google.com 8.8.4.4

Using domain server:

Name: 8.8.4.4

Address: 8.8.4.453

Aliases:

google.com has address 74.125.132.138

google.com has address 74.125.132.113

google.com has address 74.125.132.101

google.com has address 74.125.132.100

google.com has address 74.125.132.102

google.com has address 74.125.132.139

;; reply from unexpected source: 8.8.4.42485, expected 8.8.4.453

17:28:56.195424 IP 100.100.100.40.50830 > 8.8.4.4.53: 51931+ A? google.com. (28)

17:28:56.195461 IP 100.100.100.40.50830 > 8.8.4.4.53: 51931+ A? google.com. (28)

17:28:56.195483 IP 100.100.100.50830 > 8.8.4.4.53: 51931+ A? google.com. (28)

17:28:56.282383 IP 8.8.4.4.53 > 100.100.100.40.50830: 51931 6/0/0 A 74.125.132.138,[|domain]

17:28:56.282404 IP 8.8.4.4.53 > 100.100.100.40.50830: 51931 6/0/0 A 74.125.132.138,[|domain]

17:28:56.282407 IP 8.8.4.4.53 > 100.100.100.40.50830: 51931 6/0/0 A 74.125.132.138,[|domain]

17:28:56.282819 IP 100.100.100.40.33146 > 8.8.4.4.53: 25971+ AAAA? google.com. (28)

17:28:56.282843 IP 100.100.100.40.33146 > 8.8.4.4.53: 25971+ AAAA? google.com. (28)

17:28:56.282856 IP 100.100.100.40.33146 > 8.8.4.4.53: 25971+ AAAA? google.com. (28)

17:28:56.369244 IP 8.8.4.4.53 > 100.100.100.40.33146: 25971 1/0/0 AAAA[|domain]

17:28:56.369277 IP 8.8.4.4.2485 > 100.100.100.40.33146: UDP, length 56
What_Lies_Bene1
Cirrostratus
Nov 16, 2012
Can you create a specific Virtual Server so you can maintain your management connection (specific IP but wilcard port should do it)?

Sorry I'm not clear if the second test is with the second virtual server still in place?
Chura_16140
Nimbostratus
Nov 16, 2012
Yeah, All test with the second virtual since its my management inside.

I've changed it to port TCP/22 only now. but its not any better. now i dont get any answer.

tcpdump -nnS -i any host 8.8.4.4

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type EN10MB (Ethernet), capture size 96 bytes

17:51:43.584990 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:43.585014 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:43.585028 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:43.672222 IP 8.8.4.4.53 > 100.100.100.40.54081: 47009 6/0/0 A 74.125.132.113,[|domain]

17:51:48.586382 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:48.586388 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:48.586392 IP 100.100.100.40.54081 > 8.8.4.4.53: 47009+ A? google.com. (28)

17:51:48.680348 IP 8.8.4.4.53 > 100.100.100.40.54081: 47009 6/0/0 A 74.125.132.113,[|domain]

]$ host google.com 8.8.4.4

;; connection timed out; no servers could be reached

ltm virtual MNG_RADIUS_IN {

destination 100.100.100.0:ssh

ip-forward

ip-protocol tcp

mask 255.255.255.0

profiles {

fastL4 { }

}

translate-address disabled

translate-port disabled

vlans {

CRS1.WAN

CRS2.WAN

}

vlans-enabled

}
Chura_16140
Nimbostratus
Nov 16, 2012
God dammit !

i explorted the tcpdump to wireshark.

and i did some testing and i noticed that when the packet exit one feed (CRS1) and return the other on (CRS2) i have this problem

i took one of the legs down > and its good.

I suspected in this first place, that why i enabled "mirror connection" on the virtuals and it didn't work.

So maybe i need some kind of persistence, but no such configuration on the Forwarding(IP).