Forum Discussion
Nimbostratusforwarding IP VS: TCP resets
Hello This is a 2nd thread on an unresolved issue. I hope this case justifies a new thread due to the change of focus on the issue, from when originally asked to where it stands now. If unaccepted, I’ll respect that.
this is about a forwarding IP VS. normally works well, with the following exception:
when host(s) in a bridged network (external L3, bridge by F5) is initiating TCP connection to the target forwarding IP VS, it is responded by a random TCP port (not the port originally addressed) followed by a TCP reset initiated by the host(s) itself.
A workaround suggested by good people from this community, showed that when the forwarding VS is narrowed from a range to a single address (netmask 32), the issue is resolved, and no TCP resets are initiated by the hosts anymore. However this workaround is no good as a solution, because it may result in hundreds of VS, upon any new host in the network. Also, wasn’t helped by “"Source Port: Preserve Strict" "VLAN-keyed connections" already selected (thank you gersbah)
This issue is a major problem for us, would love to hear thoughts Thanks!
Stanislas_Piro2Cumulonimbus
Hi,
before answering, I have a question:
Do you really require bridge mode?when I read your question, I understood that hosts are in a VLAN, FWSM in another VLAN and you configured a VLAN group with these show VLANs.
with this kind of configuration, I should have created a new network instead of trying to configure this weird configuration.
In the previous thread, Chris Grant answered Bridge is difficult to troubleshoot... and it is true : You are wasting your time to configure something you can do differently!
Now, let's try to solve the issue anyway.
Your problem may be a loop problem between Active / Standby members if the VLAN group is not well configured. try to disable one of both network interfaces on the standby member...
As I remember when I've done it 10 years ago,
- you may create a Forwarding (Layer-2) VS instead of Forwarding IP.
- The VLAN group must have
option unchecked ifBridge In Standby
is opaque.Transparency Mode - The VLAN group should have
option checked ifBridge In Standby
is Transparent or translucent.Transparency Mode
Yonatan_TalmorStanislas Piron: your answer solved my case. Thank you! routing approach did the trick, no more TCP resets. I still think that bridging approach does make sense, and is even less complicated to set up. but: routing worked for me by the exact setup you explained, given that there's a default route with FWSM as a GW.
Hi,
You can use BIGIP as a router without SNAT.
create 2 VLANS Host_VLAN FW_VLAN Create 2 Self IPs 10.1.1.2/24 in Host_VLAN 10.1.2.2/24 in FW_VLAN Create 2 floating IPs for routing 10.1.1.1/24 in Host_VLAN 10.1.2.1/24 in FW_VLAN Configure FW to route Host_VLAN through BIGIP 10.1.1.0/24 GW 10.1.2.1 configure Hosts to route All traffic through BIGIP 0.0.0.0/0 GW 10.1.1.1 Configure One Forwarding IP VS for Hosts destination 0.0.0.0/0 VLAN Host_VLAN protocol : * All protocols configure one Forwarding IP VS for FW destination 10.1.1.0/24 VLAN FW_VLAN protocol : * All protocols
- Stanislas_Piro2
I'm glad my solution solved your problem.
About bridge mode, this seems more simple to setup, but with F5 like all other solution, it's a nightmare to manage!
PS: if my solution solved the issue, mark it as solution instead of yours :-)
- Yonatan_Talmor
it was my intention to mark yours, but it was given as a comment, while the topic answer was not indicative of the solution. that's why I copied your response to a new answer, which I marked. but now I'll change it.