I have a requirement from our business where people need to be able to use some service on the internet directly.
I don't want to use a split tunnel.
The setup is as follows (IPs are examples):
- APM clients have IPs in range 10.1.1.0/24
- Big-IP has internal IP 10.1.10.10
- Big-IP has external IP 188.8.131.52
- IP that has to be reached directly on the internet 184.108.40.206
- NAT address for clients 220.127.116.11
Now, when I set this up, I see the following:
- client 10.1.1.1 tries to connect to IP address 18.104.22.168
- traffic passes through the F5
- traffic arrives at firewall, firewall NATs the traffic (10.1.1.1 --> 22.214.171.124 is translated to 126.96.36.199 --> 188.8.131.52)
- response from 184.108.40.206 arrives at firewall and is translated back (220.127.116.11 --> 18.104.22.168 is translated to 22.214.171.124 --> 10.1.1.1)
- packet arrives at F5
And there is stops...
All of the above is verified with packet captures.
The SYN-ACK packet from 126.96.36.199 --> 10.1.1.1 arrives at the F5, but never at the client.
Moveover, the F5 sends a RST-ACK message back to 188.8.131.52 with source IP 10.1.1.1.
Any idea what could be the cause of this issue?
Why doesn't the F5 send the SYN-ACK to the client? It does arrive at the F5.
'Preserve source port strict' is enabled and I also see the response going back to the same port as the client initiated.
With the workaround, I'm still using split tunneling, but I will give that a try.
I have come into the same issue where the APM is sending RST to the tcp traffic , where are my VPN client has sent only tcp retrsmission packet.
Why is APM sending TCP RESET on behlaf of the client and my connect. Is there anythign specific that you changed on https://support.f5.com/csp/article/K71545523 . This article is not availabel anymore.