For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ucriola_95120's avatar
ucriola_95120
Icon for Nimbostratus rankNimbostratus
Mar 23, 2010

MQ Series

Hi All,     I was wondering if anyone else may have run into this issue, I have confgured a server in line with our F5 LTM (ie, no SNAT, servers default gateway is the F5) and im able to ge...
config
design
L4L7_53191's avatar
L4L7_53191
Icon for Nimbostratus rankNimbostratus
Mar 23, 2010
Two things stand out, mostly as a hunch based on a quick scan of the info found here: http://www.capitalware.biz/dl/docs/MQFirewalls.pdf . It sounds like you may have already done some or all of this, but just in case...

 

 

1) For your return traffic sourcing from the queue, be sure and create a SNAT address that matches your external facing VS address. So create that in a snat pool, then bind that to your 0.0.0.0 VS. This way your queue consumers will see nothing but the BigIP VS address no matter how the traffic is flowing.

 

 

2) You may need to disable port translation, especially on the external facing VIP. If the LTM translates that port either way it could break. I'm thinking that a flow like this is what may be causing your problem (again just a guess after only a few minutes of looking at that slide deck on firewalls and MQ):

 

 

src_address:src_port --> Vip_addr:1414 -->(client src_port translation may occur here)-->MQ server

 

 

So when MQ "responds", it may be that it's trying to use to this tuple: client src_address:translated src_port, in which case it'll break.

 

 

Please update this post so we'll all benefit from your work! IMO there's a bunch more of this type of design in our future, so thanks for the post.

 

 

-Matt