TCP Connection Reset between VIP and Client

hmian_178112 · ‎14-Jun-2018

Topology:

Pulse Authentication Servers <--> F5 <--> FORTIGATE <--> JUNOS RTR <--> Internet <--> Client/users.

Background:

Clients on the internet attempting to reach a VPN app VIP (load-balances 3 Pulse VPN servers). Nodes + Pool + Vips are UP. I manage/configure all the devices you see. No SNAT/NAT: due to client requirement to see all IP's on Fortigate logs. Client rejected solution to use F5 logging services.

I successfully assisted another colleague in building this exact setup at a different location. For some odd reason, not working at the 2nd location I'm building it on. Compared config scripts. NO differences. Very puzzled. Concerned about FW rules on Fortigates so I am in the middle of comparing the Fortigate FW rule configurations at both locations, but don't let that persuade you.

Results:

Client can't reach VIP using pulse VPN client on client machine. Client also failed to telnet to VIP on port 443, traffic is reaching F5 --> leads to connection resets. I can successfully telnet to pool members on port 443 from F5 route domain 1.

Configuration:

ltm monitor https MONITOR_HTTPS_EXAMPLE {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from https
    destination *:*
    interval 10
    ip-dscp 0
    recv "200 OK"
    recv-disable 500
    send "GET /dana-na/healthcheck/healthcheck.cgi HTTP/1.1\r\nHost: newark.dxc.technology\r\nConnection: Close\r\n\r\n"
    time-until-up 0
    timeout 31
}
ltm node NODE1 {
    address 30.1.1.138%1
}
ltm node NODE2 {
    address 30.1.1.139%1
}
ltm node NODE3 {
    address 30.1.1.140%1
}
ltm persistence source-addr source-addr-2700 {
    app-service none
    match-across-services enabled
    mirror enabled
    timeout 2700
}
ltm pool POOL_EXAMPLE {
    allow-nat no
    allow-snat no
    load-balancing-mode least-connections-member
    members {
        NODE1:https {
            address 30.1.1.138%1
            session monitor-enabled
            state up
        }
        NODE2:https {
            address 30.1.1.139%1
            session monitor-enabled
            state up
        }
        NODE3:https {
            address 30.1.1.140%1
            session monitor-enabled
            state up
        }
    }
    monitor MONITOR_HTTPS_EXAMPLE
}
ltm virtual VIP_EXAMPLE {
    destination 40.1.1.30%1:https
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source-addr-2700 {
            default yes
        }
    }
    pool POOL_EXAMPLE
    profiles {
        fastL4 { }
    }
    source 0.0.0.0%1/0
    translate-address enabled
    translate-port enabled
    vs-index 4
}
net route-domain SE_EXT_DMZ {
    description SE_EXT_DMZ
    id 1
    vlans {
        SERVER-VLAN-EXAMPLE
        VIP-VLAN-EXAMPLE
    }
}
net self HA_IP {
    address 10.10.0.1/29
    traffic-group traffic-group-local-only
    vlan HA_VLAN
}
net self VIP-VLAN-EXAMPLE_NON_FLOATER {
    address 40.1.1.5%1/24
    allow-service {
        default
    }
    traffic-group traffic-group-local-only
    vlan VIP-VLAN-EXAMPLE
}
net self SERVER-VLAN-EXAMPLE_NON {
    address 30.1.1.133%1/25
    allow-service {
        default
    }
    traffic-group traffic-group-local-only
    vlan SERVER-VLAN-EXAMPLE
}
net self SERVER-VLAN-EXAMPLE {
    address 30.1.1.132%1/25
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan SERVER-VLAN-EXAMPLE
}
net self VIP-VLAN-EXAMPLE {
    address 40.1.1.4%1/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan VIP-VLAN-EXAMPLE
}
net trunk F5_VLAN_TRUNK {
    bandwidth 20000
    cfg-mbr-count 2
    id 0
    interfaces {
        5.0
        6.0
    }
    lacp enabled
    mac-address f4:15:63:ee:7c:09
    media 10000
    working-mbr-count 2
}
net vlan VIP-VLAN-EXAMPLE {
    if-index 848
    interfaces {
        F5_VLAN_TRUNK {
            tagged
        }
    }
    tag 461
}
net vlan SERVER-VLAN-EXAMPLE {
    if-index 864
    interfaces {
        F5_VLAN_TRUNK {
            tagged
        }
    }
    tag 457
}

TCPDUMP

See next post

AceDawg_204810 · ‎14-Jun-2018

What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

I would do the following then test:

Change the VIP to use SNAT. Test.
If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
Change the gateway for 30.1.1.138 to 30.1.1.132. Test.

View solution in original post

AceDawg1 · ‎14-Jun-2018

What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

AceDawg1 · ‎14-Jun-2018

I would do the following then test:

Change the VIP to use SNAT. Test.
If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
Change the gateway for 30.1.1.138 to 30.1.1.132. Test.

AceDawg1 · ‎14-Jun-2018

In addition, do you have a VIP configured for port 4500? Noticed in the traffic capture that there is traffic going to TCP port 4500:

18:01:03.427463 IP (tos 0x0, ttl 64, id 5134, offset 0, flags [DF], proto TCP (6), length 60)
30.1.1.133.51704 > 30.1.1.139.4500: Flags [S], cksum 0x609e (incorrect -> 0x57ee), seq 2071882144, win 14600, options [mss 1460,sackOK,TS val 4213873347 ecr 0,nop,wscale 7], length 0 out slot1/tmm0 lis=

hmian_178112 · ‎14-Jun-2018

THank you AceDawg, your first answer was on point and resolved the issue.

Comment made 4 hours ago by AceDawg 202What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

AceDawg1 · ‎14-Jun-2018

Excellent! I'll post said response as an answer to your question.

Could you "Accept" for me please?

AceDawg1 · ‎14-Jun-2018

What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

I would do the following then test:

Change the VIP to use SNAT. Test.
If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
Change the gateway for 30.1.1.138 to 30.1.1.132. Test.

hmian_178112 · ‎14-Jun-2018

This was it, I had to change the Gateway for the POOL MEMBERS to the F5 SELF IP rather than the Fortigate Firewall upstream because we are not using SNAT.

AceDawg_204810 · ‎14-Jun-2018

What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

I would do the following then test:

Change the VIP to use SNAT. Test.
If it works, reverse the VIP configuration in step 1 (e.g. no SNAT)
Disable all pool members in POOL_EXAMPLE except for 30.1.1.138
Change the gateway for 30.1.1.138 to 30.1.1.132. Test.

hmian_178112 · ‎14-Jun-2018

This was it, I had to change the Gateway for the POOL MEMBERS to the F5 SELF IP rather than the Fortigate Firewall upstream because we are not using SNAT.

hmian_178112 · ‎14-Jun-2018

It was the first response. Not the one you posted -->

I'll accept once you post the first response you sent (below)

Comment made 5 hours ago by AceDawg 204 What are the Pulse/VPN servers using as their default gateway? They should be using the F5 if SNAT is not in use to avoid asymmetric routing.

AceDawg1 · ‎14-Jun-2018

Mea culpa. I added both answers/responses as the second provides a quick procedure on how things should be configured.

Many thanks.

DevCentral

TCP Connection Reset between VIP and Client

MFA required on DevCentral