Possible routing issue?

Check policies (security and NAT) written on firewall for DMZ VIP.

Mayur

We have ACL's configured to allow traffic and its tested, and the Nat is configured correctly.

Could it be something to do with the route domain because we have all vlan's traveling down one link? but we have 2 different route domains?

You should be having route to DMZ Subnet towards its gateway. But you said, you are able to connect VIP using its private IP. So not seeing any issue on F5. Can you please check route to DMZ subnet on firewall?

Thank you for your replies Mayur, the other issue that is confusing me is we have another device which does proxying and it is using the same subnet in the DMZ with a natting public IP and that is accessible over the internet.

It's like the F5 doesn't know the traffic is destined for it or doesn't know how to get the traffic from outside.

Can you put here routes configured on F5 under DMZ partition?

So in the common partition I have a self IP and a default route for that partition for example:

the subnet is 192.168.1.1/24

the self IP is 192.168.1.250

and the route configured is 0.0.0.0/0 for destination and net mask to gateway 192.168.1.1

Now the DMZ partition has a subnet of:

172.16.1.0/24

The self IP is 172.16.1.250

But I cant configure a deafult route on the common partition so I configured a route in the DMZ partition with the same as above but with the gateway as 172.16.1.1

When I try to telnet from the F5 to the public nat IP of the DMZ partition the the firewall says the source IP is 192.168.1.250 and the destination is the private IP of the Public NAT and the telnet works.

However when I attempt to to telnet to the Public IP from my PC the firewall says the destination is the public ip and telnet fails.

Does that make things clearer?

Routing seems to be fine. Please do one thing, clear session statistics of affected VIP and then try to telnet on public IP then see if you are seeing hits to VIP. I am still suspecting if firewall is crossing traffic and hitting F5.

I can also come on zoom session.

Mayur

So If I telnet from the F5 to the Public IP it hits the VIP configured with the private IP and I Can see hits.

If I try to do the same from my laptop it doesn't hit the VIP.

When I look at the logs on the firewall it looks like when I do it from my laptop it timesout trying to do first part of the tcp handshake the SYN

Yes this means traffic is not crossing firewall. At least we should see hits on F5. Please verify ACL and NAT again.

Mayur

Thank you for your help Mayur, really appreciate this!

I will investigate further, however seeing as telnetting from the F5 using the public IP hit the private IP VIP on the F5 doesn't that mean that the firewall is doing the NAT translation and traffic is flowing through it?