Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 Big-IP seems to send RST packet on behalf of APM client

legan
Nimbostratus
Nimbostratus

‎23-Oct-2019 06:20

Hello,

 

I have a requirement from our business where people need to be able to use some service on the internet directly.

I don't want to use a split tunnel.

 

The setup is as follows (IPs are examples):

 

- APM clients have IPs in range 10.1.1.0/24

- Big-IP has internal IP 10.1.10.10

- Big-IP has external IP 5.5.5.5

- IP that has to be reached directly on the internet 6.6.6.6

- NAT address for clients 5.5.5.6

 

Now, when I set this up, I see the following:

 

- client 10.1.1.1 tries to connect to IP address 6.6.6.6

- traffic passes through the F5 

- traffic arrives at firewall, firewall NATs the traffic (10.1.1.1 --> 6.6.6.6 is translated to 5.5.5.6 --> 6.6.6.6)

- response from 6.6.6.6 arrives at firewall and is translated back (6.6.6.6 --> 5.5.5.6 is translated to 6.6.6.6 --> 10.1.1.1)

- packet arrives at F5

 

And there is stops...

All of the above is verified with packet captures.

 

The SYN-ACK packet from 6.6.6.6 --> 10.1.1.1 arrives at the F5, but never at the client.

Moveover, the F5 sends a RST-ACK message back to 6.6.6.6 with source IP 10.1.1.1.

 

Any idea what could be the cause of this issue?

Why doesn't the F5 send the SYN-ACK to the client? It does arrive at the F5.

 

Thanks.

Labels:
0 Kudos
6 REPLIES 6

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

‎24-Oct-2019 06:33

Hi

 

Do you have the same behaviour with a simple PING ?

 

Wondering whether it could be a TCP port preservation problem ?

 

Yoann

0 Kudos

Dave_W
F5 Employee
F5 Employee

‎24-Oct-2019 09:25

Hello, I suggest you use the following configuration for this use case instead:

 

K71545523: Configuring Nework Access to exclude IPV4 addresses and DNS domain names when using the 'Force all traffic through tunnel' setting

https://support.f5.com/csp/article/K71545523

0 Kudos

legan
Nimbostratus
Nimbostratus

‎24-Oct-2019 23:53

Thank you.

 

'Preserve source port strict' is enabled and I also see the response going back to the same port as the client initiated.

 

With the workaround, I'm still using split tunneling, but I will give that a try.

 

 

0 Kudos

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

‎31-Oct-2019 08:43

Hi

 

No virtual server matching (or encapsulating) this IP : 10.1.1.1  ?

 

Can you enable RST debuging :

https://support.f5.com/csp/article/K13223

 

And see what it gives you as reason.

 

Yoann

 

0 Kudos

legan
Nimbostratus
Nimbostratus

‎07-Nov-2019 00:06

No, there's no virtual server on that IP.

Thank you for the RST debugging link.

I will try that.

For the time being I have used the solution from K71545523, which has resolved the issue for now.

0 Kudos

ZANOOB
Cirrus
Cirrus
In response to legan

‎27-Jul-2023 07:26

Hello ,

I have come into the same issue where the APM is sending RST to the tcp traffic , where are my VPN client has sent only tcp retrsmission packet.

Why is APM sending TCP RESET on behlaf of the client and my connect. Is there anythign specific that you changed on https://support.f5.com/csp/article/K71545523 . This article is not availabel anymore.

 

 

0 Kudos
Copyright © 2023 Khoros, LLC