For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hmian_178112's avatar
hmian_178112
Icon for Nimbostratus rankNimbostratus
Jun 14, 2018
Solved

TCP Connection Reset between VIP and Client

Topology: Pulse Authentication Servers <--> F5 <--> FORTIGATE <--> JUNOS RTR <--> Internet <--> Client/users. Background: Clients on the internet attempting to reach a VPN app VIP (load-balance...
application delivery
LTM
security
  • AceDawg_204810's avatar
    AceDawg_204810
    Jun 14, 2018

    What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

     

    I would do the following then test:

     

    1. Change the VIP to use SNAT. Test.
    2. If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
    3. Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
    4. Change the gateway for 30.1.1.138 to 30.1.1.132. Test.
AceDawg1's avatar
AceDawg1
Icon for Nimbostratus rankNimbostratus
Jun 14, 2018

What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

 

I would do the following then test:

 

  1. Change the VIP to use SNAT. Test.
  2. If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
  3. Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
  4. Change the gateway for 30.1.1.138 to 30.1.1.132. Test.
  • hmian_178112's avatar
    hmian_178112
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2018

    This was it, I had to change the Gateway for the POOL MEMBERS to the F5 SELF IP rather than the Fortigate Firewall upstream because we are not using SNAT.