Forum Discussion
NimbostratusOutbound TCP port 21 through SNAT
BIGIP version 12.1.1 HF1
Issue: SNAT is not building server-side connections for a TCP session destined to port 21
A colleague was troubleshooting a customer complaint of an FTP connection not working. The source of traffic is an internal, privately-addresses server that is in a SNAT origin list. The destination is an external server that the BIGIP can reach via the default route. Basic IP connectivity had been confirmed via traceroute, which does work through the SNAT.
Tried a basic TCP connection (using Cisco ASA 'tcp ping' utility...it simply sends a TCP SYN, expects a SYN/ACK, then resets the connection). For connections to port 21, the BIGIP receives the traffic (confirmed via tcpdump) but does not build the server-side connection (observed both via tcpdump and the connection table). However trying to a different port using same source/destination is successful. Also tried using a different source address (destination port 21) which failed. Issue appears to follow the destination port.
Did some searching through and DevCentral but do not see the same issue addressed. Anyone run into this issue and have an explanation?
3 Replies
Leonardo_Souza3F5 unit is deny default unit (there are exceptions like AFM, anyway...), means you need to have a listener to handle the traffic and then open the server side connection if configured for that.
SNAT is listener, but you first need to make sure that is the SNAT that is handling the connection and not another listener. You can take the tcpdump with extra information, and you will be able to see which listener is handling the connection.
Information about that:
https://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html
If you just want the solution :P, here is the bug you are probably facing:
https://support.f5.com/kb/en-us/solutions/public/k/33/sol33645643.html
There is no workaround in the solution, but it does says that does not affect a virtual server with SNAT. So, just use a virtual server with SNAT pool and FTP profile.
Ed_SummersF5 Support confirmed it is the bug addressed by the solution article you mentioned. Affects 12.1.0 - 12.1.1. We actually found this SOL article prior to contacting support, but the language used in the article (the active language "configured the BIG-IP system to process FTP control channel connections using only a SNAT object") made me want to research further.
Accepting your answer - you win the cookie today.
- Leonardo_Souza3
lol cookie accepted.
