Forum Discussion
Steve_Carroll_1
Nimbostratus
NimbostratusWhy is my F5 dropping telnet on port 25 for one network?
I have configured SMTP on my LTM (11.4.1) and have configured a SNAT of 10.229.104.37 so all connections from the LTM are sent with this address and I have no iRule configured.
If telnet 10.229.103.37 25 is sent from addresses in 10.229.0.0 network the connection is passed through to the single SMTP server. This is also confirmed by the tcpdump output.
However, if I send the same telnet request from an external subnet the F5 drops the connection. As for the tcpdump I only see incoming request to the VIP.
Can anyone help?
What_Lies_Bene1Cirrostratus
Probably a routing issue. Perhaps asynchronous routing?
Does the SMTP server have multiple network interfaces?
Is there the possibility that inbound traffic from the external subnet enters on one VLAN on the F5 and outbound on another?
Steve_Carroll_1What Lies Beneath thanks for your reply.
The F5 only has one external connection on the 10.229.103.0 network and it's the default route for outbound traffic for both the failing subnet and also working connections from 10.229.0.0 devices.
The routing has been checked from the load balancer through a router\switch and two firewalls back towards the failing network.
As for the SMTP server that only gets connections from the F5 SNAT address which is the same for all client requests.
- Steve_Carroll_1
I have resolved the issue and it seems that the previous F5 engineer put a packet filter on the LTM for port 25 and some networks.
However, the network in question was not in the allowed list. There was also a deny list for port 25. Also logging was disabled on both filters.
I've added the network to the allow packet filter and it now connect.
- What_Lies_Bene1Classic. Thanks for the update.
PT2012_73791Hmmm. Glad you posted the answer. Same problem on a new SMTP VIP. Funnily I imagine it was on the same chassis. I can't see why logging on a filter would ever want to be disabled. It makes trouble shooting very hard.