For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Jul 24, 2020

Network access connection rejected by ACL is completing 3-way handshake?

I'm running 13.1.3.4 and creating a network access tunnel with an ACL applied. There's a L4 ACE to Reject traffic to a given IP. When I monitor on my VPN interface (on Windows and Mac) I see a full 3-way handshake succeed to that IP ???, followed by a TCP RST. When I set the ACE to Discard I see the same behavior. Can someone explain how this is a feature?

 

If I monitor for packets on the BigIP I don't see the packets actually passing through to the blocked IP, so I assume this is a BigIP "feature". Any info is welcome. Thanks,

 

Mike

BIG-IP Access Policy Manager (APM)
security

2 Replies

  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Jul 27, 2020

    Cut and paste in case that link breaks in the future:

     

    This vip is created when you provision APM, it's part of 3 that handle Network Access traffic from a "connectivity profile", which is basically a special tunnel type of network interface. It's used as the forwarding virtual server for Network Access to process APM ACLs. The vips can be overridden by setting a higher-specificity (source or dest IP) vip on the connectivity profile vlan.

     

    _tmm_apm_fwd_vip_http: This vip catches the HTTP traffic on port 80 and applies L7 and L4 ACLs.

     

    _tmm_apm_fwd_vip: This vip catches everything besides port 80 and applies L4 ACLs.

     

    The reason these are in there is that when a new network flow ingresses to BIG-IP, it must consult the list of virtual servers to determine how to handle the traffic. If a new flow doesn't match any virtual server listeners, it's dropped.

     

    I'm not sure exactly what information you're looking for, but that's basically what it is.