Forum Discussion
NimbostratusF5 LTM Sending ACK to a RST,ACK on its own with only routing+nat configured
Hi, we have seen this strange behavior when troubleshooting a network problem. We have a F5 acting only as router-nat for a particular flow, the LTM has 2 interfaces, the source is in a subnet and we have a frontend network witch we use for natting(1 to 1), the destination is reachable via L3 routing (the LTM has not interface in the destination VLAN) and we observe that :
-
The client can establish the connection.
-
The server respond and the data flow seems ok.
-
The server close the connection with RST,ACK.
-
On the destination server capture we seen a ACK from frontend network to the server.
-
The server respond with RST.
The last 2 packets are not sourced by the Client. So our question is : is the LTM generating this ACK or maybe the FW on frontend network ? We want to understand if The ltm is passive or is acting as full proxy even if is only configured for Routing and NAT.
Thanks
9 Replies
- boneyard
MVP
you are not using any virtual servers? 
Mattia_59070There are some VS in front end network with pool members in the same network as the server, but the server with problems is disabled, the node is disabled all the pool members and the monitor instances are disabled. We must resolve this problem before it goes into production. The problem is that if the client add a static route toward the core switch bypassing both LTM and Firewall, the server stops to terminate the sessions with RST,ACK and all is ok. PS: we have NOT seen the ACK and RST packet in any F5 Capture, only on the destination server Capture. So either we can't seen the ACK bacause is locally generated by the LTM (correct?) but in this case we must at least see the RST sent by the server, or is not the LTM that send those packet. ThanksIf you are using a Forwarding-IP Virtual server or a FastL4 Virtual server, then the F5 is generally not going to be generating any packets.
You should look at the Source MAC of the incoming packet and trace which device is generating it.
- Mattia_59070Thanks, we use a simple 1 to 1 NAT, not a Forwarding-ip VS,what about this configuration ? In our captures we see those packets only on the server, and the source mac address is the BIA of the last hop router, so in order to view the actual source we must do a SPAN session in frontend VLAN. Thanks
- I will actually have to test to be sure if a simple NAT is stateful, my guess would be "partially". It would be stateful in that it will simply discard packets that obviously don't match the flow (for TCP, this would be things like invalid sequence or ack numbers), but even at this, I don't think the LTM will send RST packets on it's own. It normally silently drops mismatched packets, or they get handled by some other listener/policy on the box.
- Not sure what a "SPAN" is, but if you sit at the F5 and run an appropriate capture (filter for target IP only, and capture on all interfaces) and you don't see the packet leaving the F5, then think about the devices that are between the F5 and the target server, and see if any one of them is proxying the connection. One way to detect proxied connections is to send establish a connection, capture it at the point of origin, and compare the TCP parameters there with the TCP parameters at the destination. If they are unchanged, then it's likely not proxied.
