Forum Discussion
NimbostratusSNAT Virtual Server is sending ICMP Destination Unreachable to Source Server
I have several servers sitting behind a F5 LTM running 11.6 HF6 that when sending a UDP packet that is defined in the Virtual Server to be SNATed are instead getting an ICMP Message sent to them of Destination Unreachable / Administratively Filtered
A little more background.
The servers sit behind an F5 LTM that is configured in a one armed setup F5s Default Route is the upstream L3 Switch HSRP IP Address The servers have their Default GW set to the F5 Clusters Floating IP Address
There is an Outbound Forwarding Virtual Server configured Source of 0.0.0.0/0 and Destination of 0.0.0.0/0 and a modified fastL4 that has the Loose Initiation and Loose Close selected. This is working as desired.
There are 7 inbound Virtual Servers that forward traffic hitting a VIP for specific ports / protocol to the servers. This is working as desired.
There is an Outbound SNAT Virtual Server setup with Source of the server subnet (have also tried just to source an individual server) and Destination of 0.0.0.0/0 looking for UDP packets on destination port of 1700 to then be SNATed into the VIP IP Address used in the other inbound Virtual Servers.
This is NOT working. I am seeing from packet captures from the F5 and the servers themselves that they send out the UPD destination port 1700 packet, and a few milliseconds later the F5 sends an ICMP Destination Unreachable / Communication administratively filtered message to the server.
The servers are sending and receiving TCP and UDP traffic on all other ports with no apparent issues except for this Outbound SNAT Virtual Server
Some things I have tried is to set the System > Configuration > Local Traffic > SNAT from TCP and UDP only to All traffic. But this has not changed the behavior. I have searched the Answers but have not seen anything that gives me a hint as to what to change next.
So any thoughts on what I need to change to get this to work?
6 Replies
neptune_121018Does the outbound VS for the UDP 1700 port have a VLAN Specified? Can you shouw us the configuration for that VS?
jeffgriesel_245Here are the configs on the VS ltm virtual /Common/ISE_radius_coa_snat { description "VIP for ISE return COA traffic" destination /Common/0.0.0.0:1700 ip-protocol udp mask any profiles { /Common/udp { } } source 199.6.162.10/32 source-address-translation { pool /Common/ISE_radius_coa_snatpool type snat } translate-address enabled translate-port enabled vlans { /Common/ISE_VLAN15 } vlans-enabled } ltm snat-translation /Common/199.6.162.9 { address 199.6.162.9 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snatpool /Common/ISE_radius_coa_snatpool { members { /Common/199.6.162.9 } }
- neptune_121018
I compared your config with an outbound virtual server configuration that's working on one of our boxes. Some of the differences I noticed where the:
- Address translation and port translation is unchecked.
- We used a Fast Layer 4. We selected the all protocols option because we needed to SNAT more types of traffic.
ltm virtual /Common/website_outbound_vs { description "Source nats the outbound connections of website server, so they exit with the IP of the VS" destination /Common/0.0.0.0:0 mask any profiles { /Common/fastL4 { } } source 10.88.100.116/32 source-address-translation { pool /Common/website_snatpool type snat } translate-address disabled translate-port disabled vlans { /Common/vlan_servers } vlans-enabled }ltm snat-translation /Common/10.88.100.43 { address 10.88.100.43 inherited-traffic-group true traffic-group /Common/traffic-group-1 }ltm snatpool /Common/sitioweb_snatpool { members { /Common/10.88.100.43 } 
qman2001_227728Did you ever resolve the problem ?
simone_84934Did you solve the issue. I am facing the same one, not found a solution yet
Thank you
Darrell_Lack_19Did you solve the issue. I am facing the same one, not found a solution yet
