Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

F5 Bigip LTM NAT64 config

longnv
Cirrus
Cirrus

Hi everybody,

I have a problem with VS using IPv6 and Pool, Node IPv4.

My config :

- VS type is Performance Layer 4;  

- Source Address Translation: none

- Address Translation: enable

- Port Translation: enable

-NAT64: enable

With same Pool member for VS using ipv4 then VS working, but when I connection to VS ipv6 then have error : ERR_CONNECTION_REFUSED

Have any ideal for this problem? Thanks

 

 

1 ACCEPTED SOLUTION

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports  => tcp connection reset. Need SNAT with other self ip connection to internal.

View solution in original post

32 REPLIES 32

mihaic
Cirrostratus
Cirrostratus

I think an IPv6 VIP and a pool with IPv4 and Source NAT enabled is enough to make it work.

I tried Source Address Translation with 2 option none and auto map, but VS not working. Ping VS is ok but service HTTPS of VS not work

mihaic
Cirrostratus
Cirrostratus

disable NAT64 , and have Source NAT on automap.

I tried it, but VS not working still

mihaic
Cirrostratus
Cirrostratus

Maybe i did not understand the problem.

You have an IPv6 VIP  , going to a pool of nodes with IPv4. And it is not working

But when the VIP has IPv4 , going to the same pool of IPv4 , it is working.

Yes, I'm trying config VS ipv6 for node ipv4

mihaic
Cirrostratus
Cirrostratus

please share the config of the vip,irule if you have and the pool

Send to you my VS config below:

ltm virtual VS_IPV6_p443 {
destination 2001:df1:1f40::11.https
ip-protocol tcp
pool P_PORTAL_443
profiles {
fastL4 { }
}
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 808

 

 

ltm virtual VS_IPV4_p443 {
destination 103.57.112.17:https
ip-protocol tcp
mask 255.255.255.255
pool P_PORTAL_443
profiles {
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 802
}

 

mihaic
Cirrostratus
Cirrostratus

Did you try to use tcp  profile instead of fastl4  on the IPv6 vip?

longnv
Cirrus
Cirrus

I tried it

mihaic
Cirrostratus
Cirrostratus

I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

Your client needs to have an IPv6.

can you share the logs and , or have a tcpdump?

Send to you pcap file, i run tcpdump on f5

mihaic
Cirrostratus
Cirrostratus

you used this command:

tcpdump -nni VLAN_VNNIC2_CMC_NETNAM_2022 -w /var/tmp/portal-angiang.pcap src host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d

This shows only one way traffic. from source 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
That's why we don't see any reply

You should  use something like this for client side:

tcpdump -nni 0.0:n -s0 host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d  

Also it might be interesting to see the server side also. 

My client's ip is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

mihaic
Cirrostratus
Cirrostratus

something like this will capture both the client and server side:

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11 

https://support.f5.com/csp/article/K13637

My ipv6 to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=

it seems the F5 sends you back a Reset every time you send a SYN.

Here is an article with possible reasons why an F5 sens Reset:

https://support.f5.com/csp/article/K9812

"You can associate the FastL4 profile with the following virtual types:

  • Performance (Layer 4)
  • Forwarding (Layer 2)
  • Forwarding (IP)
  • Internal"

So try changing the VIP from standard to performance (Layer4).

 

 

 

 

As my talk on top, my 

My config :

- VS type is Performance Layer 4;  not type Stand

Have any license for ipv6? My device using only IPV6 Gateway license.

 

longnv
Cirrus
Cirrus

My client ip to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

mihaic
Cirrostratus
Cirrostratus

If the logs/tcpdump  don't offer any more info, than you probably need to open a ticket with F5.

I am curious what the issue is. So please share it.

 

My device has expired license support, so I can't open support case. 😞

If i can resolve this problem, I will share for you

longnv
Cirrus
Cirrus

I tried create 2 VS diffirent are VS_IPv6_1  and VS_IPv6_2 with same pool P_p6435 but VS_IPv6_1 working and VS_IPv6_2 not work with message ERR_CONNECTION_REFUSED. I don't understand where the problem lies

ltm virtual VS_IPv6_1 {
destination xxxx:xxxx:xxx::77.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 1160
}

ltm virtual VS_IPV6_2 {
destination xxxx:xxxx:xxx::11.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 808

 

mihaic
Cirrostratus
Cirrostratus

Found this article.

https://support.f5.com/csp/article/K9279

It seems you don't need any special license. Also, you don't need SNAT.

Hi ,  Mihaic 

Yes , so now what should i do to check the issue.

 

well, a tcpdump and some logs are a starting point.

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11 

I run cmd and see message:

rst_cause="[0x2915ae4:5030] No server selected" peerremote

Flow the guide: https://support.f5.com/csp/article/K30725108 but my VS not config service profile

https://support.f5.com/csp/article/K13223

here is an article on possible RST causes. Have a look.

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports  => tcp connection reset. Need SNAT with other self ip connection to internal.

Thanks for letting us know how you were able to resolve the issue!

amrishhpuri
Nimbostratus
Nimbostratus

I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

 

yes, we're access the vip via client ipv6 address