Forum Discussion
CirrusNetwork access connection rejected by ACL is completing 3-way handshake?
I'm running 13.1.3.4 and creating a network access tunnel with an ACL applied. There's a L4 ACE to Reject traffic to a given IP. When I monitor on my VPN interface (on Windows and Mac) I see a full 3-way handshake succeed to that IP ???, followed by a TCP RST. When I set the ACE to Discard I see the same behavior. Can someone explain how this is a feature?
If I monitor for packets on the BigIP I don't see the packets actually passing through to the blocked IP, so I assume this is a BigIP "feature". Any info is welcome. Thanks,
Mike
Mike_HoThis older question and answer are related.
https://devcentral.f5.com/s/question/0D51T00006j23vc/what-is-the-tmmapmfwdviphttp-virtual-server-
- Mike_Ho
Cut and paste in case that link breaks in the future:
This vip is created when you provision APM, it's part of 3 that handle Network Access traffic from a "connectivity profile", which is basically a special tunnel type of network interface. It's used as the forwarding virtual server for Network Access to process APM ACLs. The vips can be overridden by setting a higher-specificity (source or dest IP) vip on the connectivity profile vlan.
_tmm_apm_fwd_vip_http: This vip catches the HTTP traffic on port 80 and applies L7 and L4 ACLs.
_tmm_apm_fwd_vip: This vip catches everything besides port 80 and applies L4 ACLs.
The reason these are in there is that when a new network flow ingresses to BIG-IP, it must consult the list of virtual servers to determine how to handle the traffic. If a new flow doesn't match any virtual server listeners, it's dropped.
I'm not sure exactly what information you're looking for, but that's basically what it is.