SSH/SFTP problem!

It sounds like the packet is making it to the remote server but it's failing on it's way back to the client. Did you have Virtual wilcard IP Forwarding created?

 

 

 

 

 

Where should I configured? more info pls.

 

 

-rk

Posted By cmbhatt on 04/01/2008 7:07 PM

 

 

It sounds like the packet is making it to the remote server but it's failing on it's way back to the client.

 

 

 

 

And the most likely reason for that is that the LTM is probably not the default gateway for the remote server.

 

 

See my posts in this discussion ( Click here ) for more information about using SNAT to overcome this.

 

 

Denny

 

 

um... if the routing is wrong. there should not have any packet can be found in the packet trace where the source ip equals to remote server.

 

 

-rk

Can you post the tcpdump output? Try capturing on interface 0.0 (a logical reference to all switch ports). Make sure to include both the client and server IP's in your filter. Something like this should work:

 

 

tcpdump -ni 0.0 host CLIENT_IP or host SERVER_IP

 

 

Thanks,

 

Aaron

Hi

 

 

Thank for help!

 

 

10.12.1.1 is the Client while 172.17.40.21 is the server.

 

 

the VIP used in F5 is 172.17.20.11 where SNAT is used in Client server. to translate the src ip of the packet going to 172.17.20.11 is 10.12.1.1.

 

 

17:07:11.419810 IP 10.12.1.1.33517 > 172.17.20.11.telnet: S 3365755525:3365755525(0) win 5840

 

17:07:11.420746 IP 172.17.40.21.telnet > 10.12.1.1.33517: S 3197962301:3197962301(0) ack 3365755526 win 5792

 

17:07:14.419010 IP 10.12.1.1.33517 > 172.17.20.11.telnet: S 3365755525:3365755525(0) win 5840

 

17:07:14.419683 IP 172.17.40.21.telnet > 10.12.1.1.33517: S 3197962301:3197962301(0) ack 3365755526 win 5792

 

17:07:14.587769 IP 172.17.40.21.telnet > 10.12.1.1.33517: S 3197962301:3197962301(0) ack 3365755526 win 5792

 

17:07:20.586801 IP 172.17.40.21.telnet > 10.12.1.1.33517: S 3197962301:3197962301(0) ack 3365755526 win 5792

 

 

-rk

 

 

 

 

 

 

 

 

 

 

 

Can you clarify what the SNAT address is? If you have the SNAT address set to the client IP, can you change this? Set the SNAT on the virtual server to automap, so that the BIG-IP will use a self IP on the egress VLAN for a source address.

 

 

I think the following are the IP's you're using

 

 

10.12.1.1 Client

 

172.17.20.11 VIP

 

172.17.40.21 Server

 

 

If this doesn't work, can you try another test? Can you create a new FastL4 profile to use on the forwarding virtual server? Please disable PVA acceleration on the new profile according to these steps:

 

 

SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP version 9.x system (Click here)

 

 

To temporarily disable PVA acceleration for a FastL4 profile, perform the following procedure:

 

 

1. Log in to the Configuration utility.

 

2. Click Local Traffic.

 

3. Click Profiles.

 

4. Choose FastL4 from the Protocol drop-down menu.

 

5. Create a new FastL4 profile called FastL4_no_pva_acceleration.

 

6. Check the check box next to PVA Acceleration and select None from the drop-down menu.

 

7. Browse to the forwarding virtual server and select the new FastL4 profile under Protocol Profile (client).

 

8. Perform a tcpdump, specifying the interface as 0.0 to capture all traffic.

 

9. Once the tcpdump captures are completed, change the Protocol Profile back to the default FastL4 profile.

 

 

Can you also add the -e flag to the tcpdump command to list the MAC address and VLAN tags to the tcpdump:

 

 

tcpdump -eni 0.0 host 10.12.1.1 or host 172.17.40.21

 

 

Thanks,

 

Aaron

Posted By hoolio on 04/03/2008 2:38 AM

 

 

If you have the SNAT address set to the client IP, can you change this?

 

 

 

Yes, if this is the case, the LTM will never send the packet back to the actual client because it thinks it "owns" that address.

 

 

Denny