For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Costin_123567's avatar
Costin_123567
Icon for Nimbostratus rankNimbostratus
Jul 09, 2013

LTM configuration

Hi,

 

This might be a very simple problem, but I cannot find an answer to it. I have a LTM deployment with one external vlan and 3 internal vlans.

 

I have several virtual servers configured, but did not have the change to test them. However I can test if it works by configuring a ssh virtul server for a couple of server behind the F5.

 

The f5 is also configured for inter-vlan routing(this is tested and works just fine).

 

I configured the ssh virtual server and it only works if I access it with an IP source fron the same subnet as the virtul IP . If the connection comes from any other IP source(routed to the F5) it is rejected. In the virtual server configuration at the source is specified 0.0.0.0/0.

 

I cannot fgure out what am I missing.

 

Thanks,

 

 

Costin

 

config
design

8 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 09, 2013
    If the connection comes from any other IP source(routed to the F5) it is rejected.what version are you running? is this useful?

     

     

    sol13223: Configuring the BIG-IP system to log TCP RST packets

     

    http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
  • Costin_123567's avatar
    Costin_123567
    Icon for Nimbostratus rankNimbostratus
    Jul 09, 2013

    The version in 11.3.0

     

    I have enabled logging for TCP RST.

     

    Jul 9 13:38:49 bigip1 err tmm[9163]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54000, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm1[9163]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54001, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm2[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54002, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm2[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54002, [0x16b2eb4:1301] TCP 3WHS rejected

     

    Jul 9 13:38:49 bigip1 err tmm3[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54003, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm3[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54003, [0x16b2eb4:1301] TCP 3WHS rejected

     

    but I still cannot see why the F5 reject connections from other subnets.

     

    Any ideas of how i can troubleshoot this.

     

    Or is there any configuration that I missed on the F5 LTM?

     

     

    Costin

     

  • Costin_123567's avatar
    Costin_123567
    Icon for Nimbostratus rankNimbostratus
    Jul 09, 2013

    One more thing.

     

    I have a ddefault route set to the upstream device(connected to the external vlan) in order to handel traffic for other networks. Could this be an issue for the LTM virtual servers?

     

     

    Costin

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 09, 2013
    Jul 9 13:38:49 bigip1 err tmm[9163]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54000, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm1[9163]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54001, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm2[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54002, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm2[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54002, [0x16b2eb4:1301] TCP 3WHS rejected

     

    Jul 9 13:38:49 bigip1 err tmm3[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54003, [0x1724c4a:1807] {peer} TCP RST from remote system

     

    Jul 9 13:38:49 bigip1 err tmm3[9164]: 01230140:3: RST sent from 10.0.17.172:3060 to 10.0.16.3:54003, [0x16b2eb4:1301] TCP 3WHS rejectedwhat are 10.0.17.172 and 10.0.16.3? is 10.0.17.172 pool member (server)? is 10.0.16.3 selfip or problem client ip?
  • Costin_123567's avatar
    Costin_123567
    Icon for Nimbostratus rankNimbostratus
    Jul 09, 2013
    10.0.17.172:3060 is the virtual server and 10.0.16.3 is the problem client

     

     

    If a connection to the virtual server is attempted from a client in the virtual servers subnet it works, if not like in this case, it does not connect

     

     

    Thanks
  • Costin_123567's avatar
    Costin_123567
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2013
    Thanks for all the help.

     

    I found a configuration on the balanced nodes. The network configuration was bypassing the F5 on the return route

     

     

    Thanks
  • Prakin's avatar
    Prakin
    Icon for Cirrus rankCirrus
    Sep 01, 2015

    Seems, i also have similar kind of problem. in my scenario the real server initiate connection and the LB doing SNAT using irules and while traffic leaving LB, the source would the LB floating IP and the destination remains same. when the return traffic comes back from the destination to LB, the LB suppose to do SNAT to the real server back, instead the LB replies back to the destination "R 1:1(0) ack 1". like below log

     

    R 1:1(0) ack 1 win 0 out slot4/tmm0 lis= flowtype=70 flowid=2ADC0584B1C0 peerid=0 conflags=20 inslot=19 inport=34 haunit=1 priority=0 rst_cause="[0x1eab68c:1715] TCP 3WHS rejected"