Forum Discussion
AltocumulusMultiple wildcard listners on different interfaces
Hello,
Is it allowed to have two (or more) ip-forward virtual servers listening on any source, any dst and any port - but bound to different VLANs?
The reason I ask is because in a tcpdump I sometimes see traffic like this (and I may interpret this the wrong way):
root@(bigip01)(cfg-sync In Sync)(Eval:Active)(/Common)(tmos) tcpdump -nni 0.0 'src 10.3.120.5 and dst 10.2.120.31 and tcp port 135'
14:01:13.783574 IP 10.3.120.5.54673 > 10.2.120.31.135: Flags [.], ack 229, win 255, length 0 in slot1/tmm3 lis=/partition.inside/vs.CLIENTS
14:01:13.783594 IP 10.3.120.5.54673 > 10.2.120.31.135: Flags [.], ack 229, win 255, length 0 out slot1/tmm3 lis=/partition.inside/vs.CLIENTS
14:01:23.625743 IP 10.3.120.5.135 > 10.2.120.31.54616: Flags [.], ack 318, win 256, length 0 in slot1/tmm2 lis=/partition.inside/vs.SERVERS
14:01:23.625754 IP 10.3.120.5.135 > 10.2.120.31.54616: Flags [.], ack 318, win 256, length 0 out slot1/tmm2 lis=/partition.inside/vs.SERVERS
`
Two weird things here:
-
traffic seems to be going in and out on the same interface (like the first two rows above)? Or do I interpret this output wrong?
-
How come traffic from 10.3/16 matches the vs.SERVERS virtual server (10.3/16 is clients). All four rows above should be routed the same way, they should match the same VS??
Here is the configuraion of the two VS:
`ltm virtual /partition.inside/vs.SERVERS { destination /partition.inside/0.0.0.0%1:any fw-enforced-policy /partition.inside/fwpolicy.SERVERS ip-forward mask any partition partition.inside profiles { fastL4 { } } source 0.0.0.0%1/0 translate-address disabled translate-port disabled vlans { VRF-SERVERS.vlan } vlans-enabled vs-index 9 } ltm virtual /partition.inside/vs.CLIENTS { destination /partition.inside/10.2.0.0%1:any fw-enforced-policy /partition.inside/fwpolicy.CLIENTS ip-forward mask 255.255.0.0 partition partition.inside profiles { fastL4 { } } source 0.0.0.0%1/0 translate-address disabled translate-port disabled vlans { VRF-CLIENTS.vlan } vlans-enabled vs-index 7 }
Thanks.
Leonardo_SouzaCirrocumulus
Firstly, the first 2 packets belong to one TCP connection and the last 2 to another TCP connection. Because the ports are different.
Change your filter to:
tcpdump -nni 0.0 'host 10.3.120.5 and host 10.2.120.31 and tcp port 135'You will get all traffic.
So, yes you can have multiple forward virtual servers. For virtual servers, the VLAN enabled should be where the traffic arrives. The return traffic is allowed back. The problem is that in your example, the other packet comes in a new TCP connection, so is handled by the other virtual server that is enabled in that VLAN.
Also, is normal to see 2 packets, because of the forward virtual server. TCP handshake is between endpoints, one packet is in and one is out.
I guess you just did not capture the return traffic, or web server is not routing correctly.
See this solution for more information: