22-Nov-2022 02:31
Hi everybody,
I have a problem with VS using IPv6 and Pool, Node IPv4.
My config :
- VS type is Performance Layer 4;
- Source Address Translation: none
- Address Translation: enable
- Port Translation: enable
-NAT64: enable
With same Pool member for VS using ipv4 then VS working, but when I connection to VS ipv6 then have error : ERR_CONNECTION_REFUSED
Have any ideal for this problem? Thanks
Solved! Go to Solution.
23-Nov-2022 15:58
This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports => tcp connection reset. Need SNAT with other self ip connection to internal.
22-Nov-2022 03:11
I think an IPv6 VIP and a pool with IPv4 and Source NAT enabled is enough to make it work.
22-Nov-2022 03:14
I tried Source Address Translation with 2 option none and auto map, but VS not working. Ping VS is ok but service HTTPS of VS not work
22-Nov-2022 03:16
disable NAT64 , and have Source NAT on automap.
22-Nov-2022 03:17
I tried it, but VS not working still
22-Nov-2022 03:22
Maybe i did not understand the problem.
You have an IPv6 VIP , going to a pool of nodes with IPv4. And it is not working
But when the VIP has IPv4 , going to the same pool of IPv4 , it is working.
22-Nov-2022 03:24
Yes, I'm trying config VS ipv6 for node ipv4
22-Nov-2022 03:29
please share the config of the vip,irule if you have and the pool
22-Nov-2022 03:39
Send to you my VS config below:
ltm virtual VS_IPV6_p443 {
destination 2001:df1:1f40::11.https
ip-protocol tcp
pool P_PORTAL_443
profiles {
fastL4 { }
}
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 808
ltm virtual VS_IPV4_p443 {
destination 103.57.112.17:https
ip-protocol tcp
mask 255.255.255.255
pool P_PORTAL_443
profiles {
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 802
}
22-Nov-2022 04:01
Did you try to use tcp profile instead of fastl4 on the IPv6 vip?
22-Nov-2022 04:20
I tried it
22-Nov-2022 04:27
I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?
Your client needs to have an IPv6.
can you share the logs and , or have a tcpdump?
22-Nov-2022 04:55
22-Nov-2022 05:07
you used this command:
tcpdump -nni VLAN_VNNIC2_CMC_NETNAM_2022 -w /var/tmp/portal-angiang.pcap src host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
This shows only one way traffic. from source 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
That's why we don't see any reply
You should use something like this for client side:
tcpdump -nni 0.0:n -s0 host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
Also it might be interesting to see the server side also.
22-Nov-2022 05:30
My client's ip is 2401:d800:5357:50b6:98:f028:b92e:3d44
20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
22-Nov-2022 05:28 - edited 22-Nov-2022 06:53
something like this will capture both the client and server side:
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11
22-Nov-2022 05:42
My ipv6 to test is 2401:d800:5357:50b6:98:f028:b92e:3d44
20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
22-Nov-2022 07:19
it seems the F5 sends you back a Reset every time you send a SYN.
Here is an article with possible reasons why an F5 sens Reset:
https://support.f5.com/csp/article/K9812
"You can associate the FastL4 profile with the following virtual types:
So try changing the VIP from standard to performance (Layer4).
22-Nov-2022 07:30
As my talk on top, my
My config :
- VS type is Performance Layer 4; not type Stand
22-Nov-2022 19:18
Have any license for ipv6? My device using only IPV6 Gateway license.
22-Nov-2022 05:38
My client ip to test is 2401:d800:5357:50b6:98:f028:b92e:3d44
20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
22-Nov-2022 07:42
If the logs/tcpdump don't offer any more info, than you probably need to open a ticket with F5.
I am curious what the issue is. So please share it.
22-Nov-2022 07:47
My device has expired license support, so I can't open support case. 😞
If i can resolve this problem, I will share for you
22-Nov-2022 19:27
I tried create 2 VS diffirent are VS_IPv6_1 and VS_IPv6_2 with same pool P_p6435 but VS_IPv6_1 working and VS_IPv6_2 not work with message ERR_CONNECTION_REFUSED. I don't understand where the problem lies
ltm virtual VS_IPv6_1 {
destination xxxx:xxxx:xxx::77.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 1160
}
ltm virtual VS_IPV6_2 {
destination xxxx:xxxx:xxx::11.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 808
22-Nov-2022 22:36
Found this article.
https://support.f5.com/csp/article/K9279
It seems you don't need any special license. Also, you don't need SNAT.
23-Nov-2022 01:46
Hi , Mihaic
Yes , so now what should i do to check the issue.
23-Nov-2022 02:41
well, a tcpdump and some logs are a starting point.
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11
23-Nov-2022 03:05
I run cmd and see message:
rst_cause="[0x2915ae4:5030] No server selected" peerremote
Flow the guide: https://support.f5.com/csp/article/K30725108 but my VS not config service profile
23-Nov-2022 03:43
https://support.f5.com/csp/article/K13223
here is an article on possible RST causes. Have a look.
23-Nov-2022 15:58
This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports => tcp connection reset. Need SNAT with other self ip connection to internal.
28-Nov-2022 19:56
Thanks for letting us know how you were able to resolve the issue!
23-Nov-2022 01:40
yes, we're access the vip via client ipv6 address