Forum Discussion
copelanda_17428
Nimbostratus
NimbostratusOutbound connections from behind F5
We have two sets of virtual servers. Set A is for ports 80 and 443 attached to a self IP at x.x.1.20 on our public facing network, Set B is for 80 and 443 on x.x.2.31 on our public network.
Set A uses two hosts on a private network 10.1.106.0 in its resource pool. Set B uses two hosts on our x.x.1.0 public network in its resource pool.
I can make an outbound connection to any Internet address from a host in Set A's pool, eg:
uwcmmp1:/ telnet 208.185.32.185 80
Trying 208.185.32.185...
Connected to 208.185.32.185.
Escape character is '^]'.
I cannot make an outbound connection to any Internet address from the hosts in Set B's pool, eg:
blackboard-app1:/ telnet 208.185.32.185 80
Trying 208.185.32.185...
telnet: Unable to connect to remote host: Connection refused
Pool hosts in Set A have their default router set to the F5's 10.1.106.0 address (10.1.106.85), and those in Set B have it set to the F5's x.x.1.0 address (x.x.1.43).
Furthermore there are two SNATs defined. One translates connections from the 10.1.106 network to the x.x.1.20 address, and the other translates connections from the x.x.1.0 network hosts to x.x.2.31.
What differences should I be looking for in my configuration? Any obvious problems?
2 Replies
- dennypayne
Employee
My first thought is that whatever the LTM's default gateway is doesn't know how to route x.x.1.0 addresses back to the LTM. I would run
while you attempt the telnet to see if you can see the traffic coming and going.tcpdump -i host 208.185.32.185
Denny 
copelanda_17428Here are two tcpdumps of the same connection.
The connection is from host 130.68.1.212 - which is behind our LTM, being SNATed as 130.68.2.31 to "the world" - to 208.185.32.185 on port 80 (our host out on "the internet").
The first tcpdump is capturing traffic on our vlan "subnet_2" which is associated with all 130.68.2.0 addresses.
The second tcpdump is capturing traffic on our vlan "public_inet" which is associated with all 130.68.1.0 addresses.
from vlan "subnet_2" (130.68.2.0)
reading from file tcpdump_12316.dmp, link-type EN10MB (Ethernet)
10:34:10.739185 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 > 130.68.2.31.64384: S, cksum 0x1576 (correct), 246177326:246177326(0) ack 3791885143 win 1460
10:34:10.739212 IP (tos 0x0, ttl 255, id 7382, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 > 208.185.32.185.80: R, cksum 0x5bf3 (correct), 1:1(0) ack 1 win 0
10:34:12.500509 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 > 130.68.2.31.64396: S, cksum 0xac86 (correct), 259263702:259263702(0) ack 253042618 win 1460
10:34:12.500533 IP (tos 0x0, ttl 255, id 11571, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64396 > 208.185.32.185.80: R, cksum 0xf303 (correct), 1:1(0) ack 1 win 0
10:34:14.107204 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 > 130.68.2.31.64384: S, cksum 0xb1c5 (correct), 249545131:249545131(0) ack 3791885143 win 1460
10:34:14.107228 IP (tos 0x0, ttl 255, id 15250, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 > 208.185.32.185.80: R, cksum 0xf842 (correct), 1:1(0) ack 1 win 0
10:34:14.115202 IP (tos 0xc0, ttl 242, id 7741, offset 0, flags [none], proto ICMP (1), length 68) 208.185.32.185 > 130.68.2.31: ICMP host 208.185.32.185 unreachable - admin prohibited, length 48
IP (tos 0x0, ttl 244, id 15250, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 > 208.185.32.185.80: R, cksum 0x8251 (correct), 1582045095:1582045095(0) ack 1 win 0
10:34:15.867192 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 > 130.68.2.31.64396: S, cksum 0x4ea1 (correct), 262630024:262630024(0) ack 253042618 win 1460
10:34:15.867216 IP (tos 0x0, ttl 255, id 18971, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64396 > 208.185.32.185.80: R, cksum 0x951e (correct), 1:1(0) ack 1 win 0
from vlan "public_inet" (130.68.1.0)
reading from file tcpdump_12362.dmp, link-type EN10MB (Ethernet)
10:38:52.761141 IP (tos 0x0, ttl 64, id 2785, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.212.64729 > 208.185.32.185.80: S, cksum 0x20b3 (correct), 1826467050:1826467050(0) win 49640
10:38:52.761186 IP (tos 0x0, ttl 63, id 2785, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.64729 > 208.185.32.185.80: S, cksum 0x2068 (correct), 1826467050:1826467050(0) win 49640
10:38:53.013422 IP (tos 0x0, ttl 64, id 33625, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.216.54519 > 208.185.32.185.80: S, cksum 0x61a0 (correct), 3742572965:3742572965(0) win 49640
10:38:53.013439 IP (tos 0x0, ttl 63, id 33625, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.54519 > 208.185.32.185.80: S, cksum 0x6159 (correct), 3742572965:3742572965(0) win 49640
10:38:56.130563 IP (tos 0x0, ttl 64, id 2786, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.212.64729 > 208.185.32.185.80: S, cksum 0x20b3 (correct), 1826467050:1826467050(0) win 49640
10:38:56.130580 IP (tos 0x0, ttl 63, id 2786, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.64729 > 208.185.32.185.80: S, cksum 0x2068 (correct), 1826467050:1826467050(0) win 49640
10:38:59.772311 IP (tos 0x0, ttl 64, id 33626, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.216.54519 > 208.185.32.185.80: S, cksum 0x61a0 (correct), 3742572965:3742572965(0) win 49640
10:38:59.772329 IP (tos 0x0, ttl 63, id 33626, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.54519 > 208.185.32.185.80: S, cksum 0x6159 (correct), 3742572965:3742572965(0) win 49640
10:39:01.016667 IP (tos 0x0, ttl 255, id 23769, offset 0, flags [DF], proto TCP (6), length 40) 208.185.32.185.80 > 130.68.1.212.64729: R, cksum 0x2353 (correct), 0:0(0) ack 1826467051 win 0
10:39:07.116736 IP (tos 0x0, ttl 255, id 32785, offset 0, flags [DF], proto TCP (6), length 40) 208.185.32.185.80 > 130.68.1.216.54519: R, cksum 0x6440 (correct), 0:0(0) ack 3742572966 win 0
