Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

F5 Bigip LTM NAT64 config

Go to solution
longnv
Cirrus
Cirrus

‎22-Nov-2022 02:31

Hi everybody,

I have a problem with VS using IPv6 and Pool, Node IPv4.

My config :

- VS type is Performance Layer 4;  

- Source Address Translation: none

- Address Translation: enable

- Port Translation: enable

-NAT64: enable

With same Pool member for VS using ipv4 then VS working, but when I connection to VS ipv6 then have error : ERR_CONNECTION_REFUSED

Have any ideal for this problem? Thanks

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎23-Nov-2022 15:58

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports  => tcp connection reset. Need SNAT with other self ip connection to internal.

View solution in original post

31 REPLIES 31

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 03:11

I think an IPv6 VIP and a pool with IPv4 and Source NAT enabled is enough to make it work.

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 03:14

I tried Source Address Translation with 2 option none and auto map, but VS not working. Ping VS is ok but service HTTPS of VS not work

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 03:16

disable NAT64 , and have Source NAT on automap.

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 03:17

I tried it, but VS not working still

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 03:22

Maybe i did not understand the problem.

You have an IPv6 VIP  , going to a pool of nodes with IPv4. And it is not working

But when the VIP has IPv4 , going to the same pool of IPv4 , it is working.

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 03:24

Yes, I'm trying config VS ipv6 for node ipv4

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 03:29

please share the config of the vip,irule if you have and the pool

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 03:39

Send to you my VS config below:

ltm virtual VS_IPV6_p443 {
destination 2001:df1:1f40::11.https
ip-protocol tcp
pool P_PORTAL_443
profiles {
fastL4 { }
}
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 808

 

 

ltm virtual VS_IPV4_p443 {
destination 103.57.112.17:https
ip-protocol tcp
mask 255.255.255.255
pool P_PORTAL_443
profiles {
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 802
}

 

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 04:01

Did you try to use tcp  profile instead of fastl4  on the IPv6 vip?

0 Kudos

Go to solution
longnv
Cirrus
Cirrus

‎22-Nov-2022 04:20

I tried it

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 04:27

I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

Your client needs to have an IPv6.

can you share the logs and , or have a tcpdump?

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 04:55

Send to you pcap file, i run tcpdump on f5

portal-angiang.zip
0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 05:07

you used this command:

tcpdump -nni VLAN_VNNIC2_CMC_NETNAM_2022 -w /var/tmp/portal-angiang.pcap src host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d

This shows only one way traffic. from source 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
That's why we don't see any reply

You should  use something like this for client side:

tcpdump -nni 0.0:n -s0 host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d  

Also it might be interesting to see the server side also. 

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 05:30

My client's ip is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 05:28 - edited ‎22-Nov-2022 06:53

something like this will capture both the client and server side:

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11 

https://support.f5.com/csp/article/K13637

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 05:42

My ipv6 to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=

0 Kudos

Go to solution
mihaic
MVP
MVP
In response to longnv

‎22-Nov-2022 07:19

it seems the F5 sends you back a Reset every time you send a SYN.

Here is an article with possible reasons why an F5 sens Reset:

https://support.f5.com/csp/article/K9812

"You can associate the FastL4 profile with the following virtual types:

  • Performance (Layer 4)
  • Forwarding (Layer 2)
  • Forwarding (IP)
  • Internal"

So try changing the VIP from standard to performance (Layer4).

 

 

 

 

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 07:30

As my talk on top, my 

My config :

- VS type is Performance Layer 4;  not type Stand

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 19:18

Have any license for ipv6? My device using only IPV6 Gateway license.

 

0 Kudos

Go to solution
longnv
Cirrus
Cirrus

‎22-Nov-2022 05:38

My client ip to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 07:42

If the logs/tcpdump  don't offer any more info, than you probably need to open a ticket with F5.

I am curious what the issue is. So please share it.

 

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎22-Nov-2022 07:47

My device has expired license support, so I can't open support case. 😞

If i can resolve this problem, I will share for you

0 Kudos

Go to solution
longnv
Cirrus
Cirrus

‎22-Nov-2022 19:27

I tried create 2 VS diffirent are VS_IPv6_1  and VS_IPv6_2 with same pool P_p6435 but VS_IPv6_1 working and VS_IPv6_2 not work with message ERR_CONNECTION_REFUSED. I don't understand where the problem lies

ltm virtual VS_IPv6_1 {
destination xxxx:xxxx:xxx::77.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 1160
}

ltm virtual VS_IPV6_2 {
destination xxxx:xxxx:xxx::11.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 808

 

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Nov-2022 22:36

Found this article.

https://support.f5.com/csp/article/K9279

It seems you don't need any special license. Also, you don't need SNAT.

0 Kudos

Go to solution
hoangnv
Nimbostratus
Nimbostratus
In response to mihaic

‎23-Nov-2022 01:46

Hi ,  Mihaic 

Yes , so now what should i do to check the issue.

 
0 Kudos

Go to solution
mihaic
MVP
MVP
In response to hoangnv

‎23-Nov-2022 02:41

well, a tcpdump and some logs are a starting point.

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11 

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎23-Nov-2022 03:05

I run cmd and see message:

rst_cause="[0x2915ae4:5030] No server selected" peerremote

Flow the guide: https://support.f5.com/csp/article/K30725108 but my VS not config service profile

0 Kudos

Go to solution
mihaic
MVP
MVP
In response to longnv

‎23-Nov-2022 03:43

https://support.f5.com/csp/article/K13223

here is an article on possible RST causes. Have a look.

0 Kudos

Go to solution
longnv
Cirrus
Cirrus
In response to mihaic

‎23-Nov-2022 15:58

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports  => tcp connection reset. Need SNAT with other self ip connection to internal.

Go to solution
Leslie_Hubertus
Community Manager
Community Manager
In response to longnv

‎28-Nov-2022 19:56

Thanks for letting us know how you were able to resolve the issue!

0 Kudos

Go to solution
hoangnv
Nimbostratus
Nimbostratus
In response to amrishhpuri

‎23-Nov-2022 01:40

yes, we're access the vip via client ipv6 address

0 Kudos
Copyright © 2023 Khoros, LLC