For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

longnv's avatar
longnv
Icon for Cirrus rankCirrus
Nov 22, 2022
Solved

F5 Bigip LTM NAT64 config

Hi everybody,

I have a problem with VS using IPv6 and Pool, Node IPv4.

My config :

- VS type is Performance Layer 4;  

- Source Address Translation: none

- Address Translation: enable

- Port Translation: enable

-NAT64: enable

With same Pool member for VS using ipv4 then VS working, but when I connection to VS ipv6 then have error : ERR_CONNECTION_REFUSED

Have any ideal for this problem? Thanks

 

 

application delivery
  • longnv's avatar
    longnv
    Nov 23, 2022

    This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports  => tcp connection reset. Need SNAT with other self ip connection to internal.

31 Replies

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    I think an IPv6 VIP and a pool with IPv4 and Source NAT enabled is enough to make it work.

    • longnv's avatar
      longnv
      Icon for Cirrus rankCirrus
      Nov 22, 2022

      I tried Source Address Translation with 2 option none and auto map, but VS not working. Ping VS is ok but service HTTPS of VS not work

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    Maybe i did not understand the problem.

    You have an IPv6 VIP  , going to a pool of nodes with IPv4. And it is not working

    But when the VIP has IPv4 , going to the same pool of IPv4 , it is working.

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    please share the config of the vip,irule if you have and the pool

    • longnv's avatar
      longnv
      Icon for Cirrus rankCirrus
      Nov 22, 2022

      Send to you my VS config below:

      ltm virtual VS_IPV6_p443 {
      destination 2001:df1:1f40::11.https
      ip-protocol tcp
      pool P_PORTAL_443
      profiles {
      fastL4 { }
      }
      source-address-translation {
      type automap
      }
      translate-address enabled
      translate-port enabled
      vs-index 808

       

       

      ltm virtual VS_IPV4_p443 {
      destination 103.57.112.17:https
      ip-protocol tcp
      mask 255.255.255.255
      pool P_PORTAL_443
      profiles {
      tcp { }
      }
      source 0.0.0.0/0
      translate-address enabled
      translate-port enabled
      vs-index 802
      }

       

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    Did you try to use tcp  profile instead of fastl4  on the IPv6 vip?

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

    Your client needs to have an IPv6.

    can you share the logs and , or have a tcpdump?

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Nov 22, 2022

    you used this command:

    tcpdump -nni VLAN_VNNIC2_CMC_NETNAM_2022 -w /var/tmp/portal-angiang.pcap src host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d

    This shows only one way traffic. from source 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
    That's why we don't see any reply

    You should  use something like this for client side:

    tcpdump -nni 0.0:n -s0 host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d  

    Also it might be interesting to see the server side also. 

    • longnv's avatar
      longnv
      Icon for Cirrus rankCirrus
      Nov 22, 2022

      My client's ip is 2401:d800:5357:50b6:98:f028:b92e:3d44

      20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
      20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
      20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
      20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
      20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
      20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
      20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
      20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
      20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
      20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
      20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
      20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
      20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
      20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

    • longnv's avatar
      longnv
      Icon for Cirrus rankCirrus
      Nov 22, 2022

      My ipv6 to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

      20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
      20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
      20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
      20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
      20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=

      • mihaic's avatar
        mihaic
        Icon for MVP rankMVP
        Nov 22, 2022

        it seems the F5 sends you back a Reset every time you send a SYN.

        Here is an article with possible reasons why an F5 sens Reset:

        https://support.f5.com/csp/article/K9812

        "You can associate the FastL4 profile with the following virtual types:

        • Performance (Layer 4)
        • Forwarding (Layer 2)
        • Forwarding (IP)
        • Internal"

        So try changing the VIP from standard to performance (Layer4).

         

         

         

         

  • longnv's avatar
    longnv
    Icon for Cirrus rankCirrus
    Nov 22, 2022

    My client ip to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

    20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
    20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
    20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
    20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
    20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
    20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
    20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
    20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
    20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
    20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
    20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
    20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
    20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
    20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443