Forum Discussion

Sunil_S_Nair_29's avatar
Sunil_S_Nair_29
Historic F5 Account
Aug 28, 2018

Link Load Balancing with LTM + DNS

Hi,

 

Migrating Radware LinkProof to F5 BIGIP (LTM+DNS) for the outbound and Inbound load balancing.

 

  1. One of the ISP Link Public NATing is done on the Firewall. We need to configure No NAT for both outbound and inbound load balancing.
  2. Successfully configured the Outbound load balancing. When trying to inbound for the RDP connection from the external Client to RDP server is not working.

Below log while packet capture:

 

tcpdump -vvv -nni 0.0 host 223.228.180.23

tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:38:34.941681 IP (tos 0x68, ttl 118, id 16746, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 in slot1/tmm2 lis= 13:38:34.941691 IP (tos 0x68, ttl 118, id 16746, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 out slot1/tmm2 lis= 13:38:34.942199 IP (tos 0x0, ttl 128, id 14983, offset 0, flags [DF], proto TCP (6), length 48) 14.143.140.54.3389 > 223.228.180.23.47419: Flags [S.], cksum 0xdf31 (correct), seq 4236588370, ack 3437007771, win 8192, options [nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm2 lis= 13:38:34.942216 IP (tos 0x0, ttl 255, id 19729, offset 0, flags [DF], proto TCP (6), length 40) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [R.], cksum 0x2edc (incorrect -> 0x2845), seq 1, ack 1, win 0, length 0 out slot1/tmm2 lis= 13:38:37.852655 IP (tos 0x68, ttl 118, id 16749, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 in slot1/tmm2 lis= 13:38:37.852665 IP (tos 0x68, ttl 118, id 16749, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 out slot1/tmm2 lis= 13:38:37.853107 IP (tos 0x0, ttl 128, id 14984, offset 0, flags [DF], proto TCP (6), length 48) 14.143.140.54.3389 > 223.228.180.23.47419: Flags [S.], cksum 0x1390 (correct), seq 4237623524, ack 3437007771, win 8192, options [nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm2 lis= 13:38:37.853128 IP (tos 0x0, ttl 255, id 19741, offset 0, flags [DF], proto TCP (6), length 40) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [R.], cksum 0x2edc (incorrect -> 0x5ca3), seq 1, ack 1, win 0, length 0 out slot1/tmm2 lis=

 

Need to achieve the No NAT function for one of the ISP and NAT for the other ISP links.

 

application delivery
BIG-IP DNS
LTM
  • Sunil_S_Nair_29's avatar
    Sunil_S_Nair_29
    Historic F5 Account
    Aug 28, 2018

    13:38:34.941681 IP (tos 0x68, ttl 118, id 16746, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 in slot1/tmm2 lis=

     

    13:38:34.941691 IP (tos 0x68, ttl 118, id 16746, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct), seq 3437007770, win 8192, options [mss 1300,nop,wscale 2,nop,nop,sackOK], length 0 out slot1/tmm2 lis=

     

    13:38:34.942199 IP (tos 0x0, ttl 128, id 14983, offset 0, flags [DF], proto TCP (6), length 48) 14.143.140.54.3389 > 223.228.180.23.47419: Flags [S.], cksum 0xdf31 (correct), seq 4236588370, ack 3437007771, win 8192, options [nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm2 lis=

     

    13:38:34.942216 IP (tos 0x0, ttl 255, id 19729, offset 0, flags [DF], proto TCP (6), length 40) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [R.], cksum 0x2edc (incorrect -> 0x2845), seq 1, ack 1, win 0, length 0 out slot1/tmm2 lis=

     

  • Sunil_S_Nair_29's avatar
    Sunil_S_Nair_29
    Historic F5 Account
    Aug 28, 2018

    Similarly we did the packet capture at the external Client the connection is not getting establish and attempting to retransmit again and again.

     

  • KevinA_246454's avatar
    KevinA_246454
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2018

    HI Sunil

     

    It seems the f5 vip I would assume is 14.143.140.54 is responding to syn message from the client as you can see below, then your external client is sending a connection reset. You say on the external client packet capture you just see the syn message out, if you dont see the syn ack from the vip or from this ip 14.143.140.54 then it most likely a routing issue or an upstream firewall blocking the connection.

     

    CLIENT SYN capture size 65535 bytes 13:38:34.941681 IP (tos 0x68, ttl 118, id 16746, offset 0, flags [DF], proto TCP (6), length 52) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [S], cksum 0xfa04 (correct)

     

    SERVER ACK 13:38:34.942199 IP (tos 0x0, ttl 128, id 14983, offset 0, flags [DF], proto TCP (6), length 48) 14.143.140.54.3389 > 223.228.180.23.47419: Flags [S.]

     

    RESET FROM CLIENT

     

    cksum 0x1390 (correct), seq 4237623524, ack 3437007771, win 8192, options [nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm2 lis= 13:38:37.853128 IP (tos 0x0, ttl 255, id 19741, offset 0, flags [DF], proto TCP (6), length 40) 223.228.180.23.47419 > 14.143.140.54.3389: Flags [R.], cksum 0x2edc (incorrect -> 0x5ca3), seq 1, ack 1, win 0, length 0 out slot1/tmm2 lis=

     

    • Sunil_S_Nair_29's avatar
      Sunil_S_Nair_29
      Historic F5 Account
      Aug 29, 2018

      Hi Kevin,

       

      Since the NATing is done the Firewall with the same Public IP address 14.143.140.54. I'm not able to create the the VIP F5 device.

       

      Tried adding the VIP by disabling the ARP, but still we are getting the IP conflict.

       

      Do we have alternative way to achieve this setup.

       

       

    • KevinA_246454's avatar
      KevinA_246454
      Icon for Cirrostratus rankCirrostratus
      Aug 29, 2018

      Thanks for the Diagram, lets take it a step back now

       

      client ip X.X.X.X destination 14.143.140.54.3389 question is the destination ip 14.143.140.54 a nat ip configured on the firewall that nat's the inbound connection to 14.143.140.54 to the server 192.168.10.10/24 ?

       

      by the looks of your diagram the default gateway is the f5 question if this is the case does the f5 have a forward ip virtual server configuration ? to allow the firewall outbound connection to the routers

       

    • Sunil_S_Nair_29's avatar
      Sunil_S_Nair_29
      Historic F5 Account
      Aug 29, 2018

      Question 1: firewall default gateway is F5.

       

      Question 2: for the outbound traffic we the default VIP 0.0.0.0/0.

       

      Testing the icmpnis working from the external client. But when we are trying to for the RDP connection we the connection reset from the external client.