Forum Discussion
Robert_E_Heinde
Nimbostratus
NimbostratusTCP State table ?
Let me see if I can describe this in a understandable format.
We have an Akonix server which is an IM gateway, which also does enforcement of IM sessions, to ensure ALL instant messenger traffic flows through it.
The box has two NIC cards.
One NIC card is plugged into network 192.168.1.0 (which is not behind a BigIP). It's sole purpose is to listen for IM type traffic on that segment, so in effect it is a sniffer type card (receive only, no transmit).
On the same net is a PC running instant messenger.
The second NIC card on the Akonix gateway is in a net behind our BigIP boxes (192.168.2.0), and it's purpose is to enforce traffic.
When the PC on the 192.168.1.0 network connects to Microsoft internet IM server (traffic does NOT flow through BigIP), the receive only card sees the traffic and the Akonix gateway is supposed to send a TCP RST to both the PC running IM, as well as the Microsoft internet IM server to kill the session (thus enforcement). The TCP RST packet is sent from the Akonix NIC card that sits behind the BigIP box, and in effect spoofs the IP address of both PC and IM server.
We see the TCP RST leave the Akonix box headed toward the BigIP, but never see the packet come through the BigIP.
The question I have is, does the BigIP box keep a state table, and in this case since it never saw the original TCP SYN packets, it has no knowledge of the session, and as a result is dropping the TCP RST (no state table entry)?
Hope this makes sense, thanks in advance for any and all help. We have an open ticket, but the support techs must be slammed because we are not getting a response back.
Regards,
Bob
Robert_E_HeindeI have attached a BMP which might make it more clear.
Thanks,
Bob- Great diagram! I wish I could help you here but the iControl forums are for our administrative API's and use of them. The iRules forums are for assistance in writing and debugging iRules.
For product related questions, you really are going to have to point them at our tech support department. I'm sorry to hear that you are having a hard time getting a response from support. Hopefully you will get one soon.
You could try posting this question over on the iRules forums but odds are that you'll get the same response as here. We have a limited set of developers who are supporting these forums and the staff here are really the experts in the management interfaces as well as the rules languages.
I'll poke around and see what I can find for you but I can't promise anything as of yet. Which version of BIG-IP are you running as that will make a difference who I solicit for feedback.
-Joe - Robert_E_HeindeThanks Joe for the response.
We are running 4.5.10 Build 84.
Hopefully they will respond soon, as most projects this one needs to be in by Monday, we may have to work around the BigIP.
It was more of a basic question as to the of use of state tables, similiar to stateful inspection firewalls.
Regards,
Bob - Here's a quote from one of our developers:
By default, BIG-IP will not forward random packets for which there is no established connection. To do this, set up a FastL4 virtual server with loose initiation enabled and address/port translation disabled. I think that will work.
-Joe
