Forum Discussion
NAT not working after software update
Hi again,
as the upgrade was not successful the last time, we started another try this night.
It looks much better, but still ping seems to be not forwarded correctly through the BIGIP.
We identified the following strange behavior.
When we ping from an outside device to an internal server, we see the icmp request packets via tcpdump, but no icmp replies.
But when we try the ping the other way round we see the following in tcpdump:
[logaric@lbz01:Active:In Sync] ~ # tcpdump -ni 0.0 host xxx.189.16.92 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:59:13.542536 IP xxx.189.16.92 > xxx.189.5.152: ICMP echo request, id 25352, seq 20, length 64 out slot1/tmm0 lis=/zone3/nat_192.168.34.92_xxx.189.16.92,SRC_NAT
01:59:13.542736 IP xxx.189.5.152 > xxx.189.16.92: ICMP echo reply, id 25352, seq 20, length 64 in slot1/tmm0 lis=
01:59:14.550496 IP xxx.189.16.92 > xxx.189.5.152: ICMP echo request, id 25352, seq 21, length 64 out slot1/tmm0 lis=/zone3/nat_192.168.34.92_xxx.189.16.92,SRC_NAT
01:59:14.551599 IP xxx.189.5.152 > xxx.189.16.92: ICMP echo reply, id 25352, seq 21, length 64 in slot1/tmm0 lis=
01:59:15.558573 IP xxx.189.16.92 > xxx.189.5.152: ICMP echo request, id 25352, seq 22, length 64 out slot1/tmm0 lis=/zone3/nat_192.168.34.92_xxx.189.16.92,SRC_NAT
01:59:15.558908 IP xxx.189.5.152 > xxx.189.16.92: ICMP echo reply, id 25352, seq 22, length 64 in slot1/tmm0 lis=
It looks successful, but the icmp reply never reaches the originating server. So for both use cases it looks like traffic get's lost between the BIGIP and the internal server.
Just for interest, is it normal that the nat-listener is mentioned for the icmp-request, but is empty for the icmp-reply? Is this maybe indicating that the packets will be sent out the wrong interface/context?
Do you have any further ideas based on these new findings? Or any other settings or troubleshootings we should try or verify?
Thank you!
Ciao Stefan :)
- Aug 21, 2019
What about this setting? I think it defaults to TCP & UDP only.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com