Forum Discussion
NimbostratusRESET packets in Asymmetric routing Mode
We have asymmetric routing environment where F5 is one of the gateway of server, because of this we were not able to connect to server directly that are behind the f5. We fixed the problem using custom FastL4 profile with Loose Initiation and Loose Close enabled solution on http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13558.htmlcreating.
But in this scenario F5 is not passing the RESET packet that server is sending to client for a non-listening port request. Below is the captures from different interfaces of F5 where it can be seen, server 10.212.152.126 is sending reset on internal VLAN interface STG-INTERNAL-APP-SERVER side but F5 is not sending out to external interface STG-INTERNAL-APP-VIP.
Any idea if F5 doesn't forward the reset packets when it doesn't see original syn against the passing the ack in the same scenario.
tcpdump -i STG-INTERNAL-APP-SERVER port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on STG-INTERNAL-APP-SERVER, link-type EN10MB (Ethernet), capture size 96 bytes 14:01:01.949710 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1706793690 win 0 14:01:04.957670 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1 win 0 14:01:10.955519 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1 win 0
tcpdump -i STG-INTERNAL-APP-VIP port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on STG-INTERNAL-APP-VIP, link-type EN10MB (Ethernet), capture size 96 bytes
4 Replies
What_Lies_Bene1Cirrostratus
Not sure about your current issue but you should be aware tcpdump does not capture all packets when FastL4 is in operation. The only way to ensure you capture all traffic is to specify a physical interface (rate limited to 200pps) or change the VS back to a standard one.
Regarding your original problem you can enable asymmetric routing by disabling VLAN Keyed Connections as follows;
Menu path: System > Configuration > Local Traffic > General
Ashish_Jais_668Yes, I have enabled asymmetric routing and able to connect the servers without any problem when communicating on any listening service/port. But when server send RESET to the client, RESET packet never reach to the client.
- What_Lies_Bene1OK, cool. Did you read my notes on tcpdump and the fact it won't capture all traffic?
- Ashish_Jais_668
Its VIPRION guest and have link aggregation, I cant select interfaces. However, I ran on all interfaces. RESET packets are being received on internal VLAN (571) from server 10.212.152.126 but not being sent to client.
-ltm01:/S2-green-P:Active:In Sync] ~ tcpdump -nnpei 0.0 port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
09:35:07.038139 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 2959145280 win 0
09:35:10.041718 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 1 win 0
09:35:16.039625 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 1 win 0
