Forum Discussion

Chura_16140's avatar
Chura_16140
Icon for Nimbostratus rankNimbostratus
Nov 15, 2012

DNS Query - reply from unexpected source

Hi Guys,

 

I'm new to F5, and something annoy me i can't find why it happen.

 

My topology:

 

Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW

 

I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions :

 

1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity.

 

but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ?

 

2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5.

 

 

[ip@qa-env ~]$ host google.com 8.8.4.4

 

;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453

 

 

tcpdump show this

 

22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)

 

22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)

 

22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43)

 

22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43

 

 

So the packets goes all good until the return packet back to the F5 and then he alter the port!

 

What am i missing ?

 

*remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example.

 

 

my Virtuals

 

ltm virtual MNG_ALLOW_ALL_OUT {

 

description "Management Rule - Allow All Traffic Outside"

 

destination 0.0.0.0:any

 

ip-forward

 

mask any

 

profiles {

 

fastL4 { }

 

}

 

translate-address disabled

 

translate-port disabled

 

vlans {

 

DNS_LAN

 

LDAP_LAN

 

RADIUS_LAN

 

}

 

vlans-enabled

 

}

 

ltm virtual MNG_QA_ENV_IN {

 

description "Management Rule - Allow Radius traffic in"

 

destination 100.100.100.0:any

 

ip-forward

 

mask 255.255.255.0

 

profiles {

 

fastL4 { }

 

}

 

translate-address disabled

 

translate-port disabled

 

vlans {

 

CRS1.WAN

 

CRS2.WAN

 

}

 

vlans-enabled

 

}

 

 

 

 

 

 

29 Replies