F5 Bigip LTM NAT64 config

longnv · ‎22-Nov-2022

Hi everybody,

I have a problem with VS using IPv6 and Pool, Node IPv4.

My config :

- VS type is Performance Layer 4;

- Source Address Translation: none

- Address Translation: enable

- Port Translation: enable

-NAT64: enable

With same Pool member for VS using ipv4 then VS working, but when I connection to VS ipv6 then have error : ERR_CONNECTION_REFUSED

Have any ideal for this problem? Thanks

longnv · ‎23-Nov-2022

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports => tcp connection reset. Need SNAT with other self ip connection to internal.

View solution in original post

mihaic · ‎22-Nov-2022

I think an IPv6 VIP and a pool with IPv4 and Source NAT enabled is enough to make it work.

longnv · ‎22-Nov-2022

I tried Source Address Translation with 2 option none and auto map, but VS not working. Ping VS is ok but service HTTPS of VS not work

mihaic · ‎22-Nov-2022

disable NAT64 , and have Source NAT on automap.

longnv · ‎22-Nov-2022

I tried it, but VS not working still

mihaic · ‎22-Nov-2022

Maybe i did not understand the problem.

You have an IPv6 VIP , going to a pool of nodes with IPv4. And it is not working

But when the VIP has IPv4 , going to the same pool of IPv4 , it is working.

longnv · ‎22-Nov-2022

Yes, I'm trying config VS ipv6 for node ipv4

mihaic · ‎22-Nov-2022

please share the config of the vip,irule if you have and the pool

longnv · ‎22-Nov-2022

Send to you my VS config below:

ltm virtual VS_IPV6_p443 {
destination 2001:df1:1f40::11.https
ip-protocol tcp
pool P_PORTAL_443
profiles {
fastL4 { }
}
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 808

ltm virtual VS_IPV4_p443 {
destination 103.57.112.17:https
ip-protocol tcp
mask 255.255.255.255
pool P_PORTAL_443
profiles {
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 802
}

mihaic · ‎22-Nov-2022

Did you try to use tcp profile instead of fastl4 on the IPv6 vip?

longnv · ‎22-Nov-2022

I tried it

mihaic · ‎22-Nov-2022

I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

Your client needs to have an IPv6.

can you share the logs and , or have a tcpdump?

longnv · ‎22-Nov-2022

Send to you pcap file, i run tcpdump on f5

mihaic · ‎22-Nov-2022

you used this command:

tcpdump -nni VLAN_VNNIC2_CMC_NETNAM_2022 -w /var/tmp/portal-angiang.pcap src host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d

This shows only one way traffic. from source 2405:4803:fe2a:f320:ddca:770d:da6d:d54d
That's why we don't see any reply

You should use something like this for client side:

tcpdump -nni 0.0:n -s0 host 2405:4803:fe2a:f320:ddca:770d:da6d:d54d

Also it might be interesting to see the server side also.

longnv · ‎22-Nov-2022

My client's ip is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

mihaic · ‎22-Nov-2022

something like this will capture both the client and server side:

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11

https://support.f5.com/csp/article/K13637

longnv · ‎22-Nov-2022

My ipv6 to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=

mihaic · ‎22-Nov-2022

it seems the F5 sends you back a Reset every time you send a SYN.

Here is an article with possible reasons why an F5 sens Reset:

https://support.f5.com/csp/article/K9812

"You can associate the FastL4 profile with the following virtual types:

Performance (Layer 4)
Forwarding (Layer 2)
Forwarding (IP)
Internal"

So try changing the VIP from standard to performance (Layer4).

longnv · ‎22-Nov-2022

As my talk on top, my

My config :

- VS type is Performance Layer 4; not type Stand

longnv · ‎22-Nov-2022

Have any license for ipv6? My device using only IPV6 Gateway license.

longnv · ‎22-Nov-2022

My client ip to test is 2401:d800:5357:50b6:98:f028:b92e:3d44

20:23:18.757233 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43366 > 2001:df1:1f40::11.443: Flags [S], seq 1503358393, win 65535, options [mss 1360,sackOK,TS val 19118655 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:18.757248 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43366: Flags [R.], seq 0, ack 1503358394, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:18.798124 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43368 > 2001:df1:1f40::11.443: Flags [S], seq 990884170, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:18.798140 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43368: Flags [R.], seq 0, ack 990884171, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443
20:23:18.813194 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43370 > 2001:df1:1f40::11.443: Flags [S], seq 2676317898, win 65535, options [mss 1360,sackOK,TS val 19118666 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:18.813221 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43370: Flags [R.], seq 0, ack 2676317899, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:21.618714 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43372 > 2001:df1:1f40::11.443: Flags [S], seq 3056621442, win 65535, options [mss 1360,sackOK,TS val 19119370 ecr 0,nop,wscale 8], length 0 in slot1/tmm2 lis=
20:23:21.618735 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43372: Flags [R.], seq 0, ack 3056621443, win 0, length 0 out slot1/tmm2 lis=/Common/VS_IPV6_p443
20:23:21.637323 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43374 > 2001:df1:1f40::11.443: Flags [S], seq 307561307, win 65535, options [mss 1360,sackOK,TS val 19119376 ecr 0,nop,wscale 8], length 0 in slot1/tmm0 lis=
20:23:21.637338 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43374: Flags [R.], seq 0, ack 307561308, win 0, length 0 out slot1/tmm0 lis=/Common/VS_IPV6_p443
20:23:26.425240 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43376 > 2001:df1:1f40::11.443: Flags [S], seq 2494555277, win 65535, options [mss 1360,sackOK,TS val 19120571 ecr 0,nop,wscale 8], length 0 in slot1/tmm3 lis=
20:23:26.425264 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43376: Flags [R.], seq 0, ack 2494555278, win 0, length 0 out slot1/tmm3 lis=/Common/VS_IPV6_p443
20:23:26.439167 IP6 2401:d800:5357:50b6:98:f028:b92e:3d44.43378 > 2001:df1:1f40::11.443: Flags [S], seq 409910347, win 65535, options [mss 1360,sackOK,TS val 19120578 ecr 0,nop,wscale 8], length 0 in slot1/tmm1 lis=
20:23:26.439181 IP6 2001:df1:1f40::11.443 > 2401:d800:5357:50b6:98:f028:b92e:3d44.43378: Flags [R.], seq 0, ack 409910348, win 0, length 0 out slot1/tmm1 lis=/Common/VS_IPV6_p443

mihaic · ‎22-Nov-2022

If the logs/tcpdump don't offer any more info, than you probably need to open a ticket with F5.

I am curious what the issue is. So please share it.

longnv · ‎22-Nov-2022

My device has expired license support, so I can't open support case. 😞

If i can resolve this problem, I will share for you

longnv · ‎22-Nov-2022

I tried create 2 VS diffirent are VS_IPv6_1 and VS_IPv6_2 with same pool P_p6435 but VS_IPv6_1 working and VS_IPv6_2 not work with message ERR_CONNECTION_REFUSED. I don't understand where the problem lies

ltm virtual VS_IPv6_1 {
destination xxxx:xxxx:xxx::77.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 1160
}

ltm virtual VS_IPV6_2 {
destination xxxx:xxxx:xxx::11.https
ip-protocol tcp
pool P_p6435
profiles {
fastL4 { }
}
translate-address enabled
translate-port enabled
vs-index 808

mihaic · ‎22-Nov-2022

Found this article.

https://support.f5.com/csp/article/K9279

It seems you don't need any special license. Also, you don't need SNAT.

hoangnv · ‎23-Nov-2022

Hi , Mihaic

Yes , so now what should i do to check the issue.

mihaic · ‎23-Nov-2022

well, a tcpdump and some logs are a starting point.

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.pcap host 2001:df1:1f40::11

longnv · ‎23-Nov-2022

I run cmd and see message:

rst_cause="[0x2915ae4:5030] No server selected" peerremote

Flow the guide: https://support.f5.com/csp/article/K30725108 but my VS not config service profile

mihaic · ‎23-Nov-2022

https://support.f5.com/csp/article/K13223

here is an article on possible RST causes. Have a look.

longnv · ‎23-Nov-2022

This problem has resolved. TCP conection from F5 to internal over 64k connection, so a new tcp session is started with the same ports => tcp connection reset. Need SNAT with other self ip connection to internal.

Leslie_Hubertus · ‎28-Nov-2022

Thanks for letting us know how you were able to resolve the issue!

amrishhpuri · ‎23-Nov-2022

I know it might sound stupid, but when you test with IPv6, are you sure you are accessing the vip using IPv6 address?

hoangnv · ‎23-Nov-2022

yes, we're access the vip via client ipv6 address

DevCentral

F5 Bigip LTM NAT64 config