F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Harish_Babu's avatar
Harish_Babu
Icon for Nimbostratus rankNimbostratus
Dec 08, 2023

F5 AFM Source / Destination NAT

Hello Team   We are having F5 DNS+AFM, the DNS configured as a transparent cache with DoS and access rules in place, diagram provided for better understanding of the setup.     We want to ...
security
Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Dec 08, 2023

Hi Harish_Babu , 

While the transulation hasn't happened for TCP and the Bigip AFM ACL Allow this for TCP .... let we suspect the issue in the forwarding Virtual server >> it works for ( ICMP and UDP ) but TCP not.

maybe this is an issue because all tcp traffic distributed accross all tmms from single IP which is not the proper thing for TCP ( connection-oriented ) so we need to make tcp sessions to be handled accross single tmm per user. 

So open Vlan ( Src Vlan /Common/INTERNAL_VLAN ) >>> switch ( Configuration to advanced instead od basic ) >>> change CMP-Hash ( from default to source address ) if not worked change it to ( source and destination and port ). 

If not worked. 
Take a packet capture for sample ip using this command : 

 

tcpdump -vvnni 0.0:nnnp host <src_IP> -s0 -vw /var/tmp/Test_tcp.pcap

 

 and let me have a look. 

Another approach: 

Can you run this test of udp and tcp on packet tester on gui as well >>> I need you to detect the policy and rule name which allowed this connection. 

you are using only one policy in global context with " allow decisively " action , is that correct ?