Forum Discussion

Edu_50128's avatar
Edu_50128
Icon for Nimbostratus rankNimbostratus
Sep 02, 2013

Routing issues

HI all,

We have having problems with a routing configuration...

We have some server where theis gateway is the BIG-IP; when these server try to connect to Internet for example, they cannot do it, although we have a route configured in the BIG-IP with this configuration:

name: default destination: default IPv4 route domain: partition default route domain resource type: gateway resource: 192.168.159.11 partition: common

The IP address 192.168.159.11 is the interface of a FW we have.

In the FW we don´t receive any traffic from any server trying to connect to Internet for example.

If I made a tcpdump -i 0.0 -nn host 192.168.159.65, what I see is below:

tcpdump: verbose output suppressed, 
use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 15:00:28.585110 IP 192.168.159.65.3518 > 194.140.77.184.80: S 3526229133:3526229133(0) win 65535  15:00:31.521351 IP 192.168.159.65.3518 > 194.140.77.184.80: S 3526229133:3526229133(0) win 65535  15:00:37.535566 IP 192.168.159.65.3518 > 194.140.77.184.80: S 3526229133:3526229133(0) win 65535  15:00:46.494478 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 15:00:46.494498 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:46.503966 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 15:00:46.503986 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:47.986254 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 15:00:47.986275 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:48.001851 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 15:00:48.001864 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:49.485919 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 15:00:49.485944 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:49.501486 IP 192.168.159.65.137 > 192.168.159.29.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 15:00:49.501507 IP 192.168.159.29 > 192.168.159.65: ICMP 192.168.159.29 udp port 137 unreachable, length 36 15:00:49.566845 IP 192.168.159.65.3520 > 195.57.81.82.80: S 1498716203:1498716203(0) win 65535  15:00:52.531644 IP 192.168.159.65.3520 > 195.57.81.82.80: S 1498716203:1498716203(0) win 65535  15:00:58.530416 IP 192.168.159.65.3520 > 195.57.81.82.80: S 1498716203:1498716203(0) win 65535 


Any idea?
Thanks
Regards,
APM
devops
iControl
security

14 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 02, 2013

    The F5 is a deny all by default device. If you want your internal servers to have internet access you'll need to configure one of the following (enabled on the server VLAN) to handle it;

     

    1) A routing VS

     

    2) A wildcard VS

     

    3) A NAT

     

    4) A SNAT

     

    I'll try and add some further information and links later in case this isn't enough.

     

  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Ok, thanks.

     

    Could you give me more information about first two options?

     

    Thanks

     

    Regards,

     

  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Yes, thanks.

     

    Reading this document, it´s better (in our case) to configure a wilcard VS, isn´t it?

     

    What we need is to send this traffic (internet traffic for example) to a FW interface which will forward it to the Internet. If we want to use the route tables, we should define a wilcard VS as the document says.

     

    Don´t you agree?

     

  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Thanks all

     

    I have configured the wilcard server as you told me, and now the capture I made says it:

     

    [admin@ITX196009BDMZ:Active] ~ tcpdump -i 0.0 -nn src host 192.168.159.65 and dst host 194.140.77.184 or src host 194.140.77.184 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:56:30.622616 IP 192.168.159.65.4366 > 194.140.77.184.80: S 1441212874:1441212874(0) win 65535 08:56:30.622629 IP 194.140.77.184.80 > 192.168.159.65.4366: S 1590552708:1590552708(0) ack 1441212875 win 4380 08:56:30.623063 IP 192.168.159.65.4366 > 194.140.77.184.80: . ack 1 win 65535 08:56:30.623493 IP 192.168.159.65.4366 > 194.140.77.184.80: S 3025978864:3025978864(0) win 4380 08:56:30.623878 IP 192.168.159.65.4366 > 194.140.77.184.80: P 1:302(301) ack 1 win 65535 08:56:30.623884 IP 194.140.77.184.80 > 192.168.159.65.4366: . ack 302 win 4681 08:56:33.623154 IP 192.168.159.65.4366 > 194.140.77.184.80: S 3025978864:3025978864(0) win 4380 08:56:36.823366 IP 192.168.159.65.4366 > 194.140.77.184.80: S 3025978864:3025978864(0) win 4380 08:56:40.022999 IP 192.168.159.65.4366 > 194.140.77.184.80: S 3025978864:3025978864(0) win 4380 08:56:43.223354 IP 194.140.77.184.80 > 192.168.159.65.4366: R 1:1(0) ack 302 win 4681

     

    It seems the traffic go away from the BIG-IP, but the page is not loaded. In the FW has open the traffic for IP 192.168.159.65 on http service.

     

    The wilcard vs configurar is with the standard option, no translation address and with a pool define with this server (192.168.159.65).

     

    What could be happening? Does the FW be configured with the IP of the BIG-IP also to permit this traffic? any other problem in the the BIG-IP?

     

    Thanks

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Sep 03, 2013
      192.168.159.65 is the system which should be able to access the internet right? then it should not be the pool for the wildcard virtual server, if you want to use a pool for the wildcard virtual server (you dont have to then it just uses the default route from the big-ip) you can use an interface on the firewall or router towards the internet.
  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Yes, you are right, .65 is the server needs to connect to Internet.

     

    I have made this change (remove .65 from the pool and configured the pool with the FW interface) and it seems the result is so similar (it´s below):

     

    [admin@ITX196009BDMZ:Active] ~ tcpdump -i 0.0 -nn src host 192.168.159.65 and dst host 194.140.77.184 or src host 194.140.77.184 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 09:30:17.500956 IP 192.168.159.65.4541 > 194.140.77.184.80: S 2272077780:2272077780(0) win 65535 09:30:17.500976 IP 194.140.77.184.80 > 192.168.159.65.4541: S 2385730972:2385730972(0) ack 2272077781 win 4380 09:30:17.501462 IP 192.168.159.65.4541 > 194.140.77.184.80: . ack 1 win 65535 09:30:17.501498 IP 192.168.159.65.4541 > 194.140.77.184.80: S 3054880835:3054880835(0) win 4380 09:30:17.502236 IP 192.168.159.65.4541 > 194.140.77.184.80: P 1:302(301) ack 1 win 65535 09:30:17.502248 IP 194.140.77.184.80 > 192.168.159.65.4541: . ack 302 win 4681 09:30:17.507380 IP 192.168.159.65.4541 > 194.140.77.184.80: . ack 1 win 65535 09:30:20.500702 IP 192.168.159.65.4541 > 194.140.77.184.80: S 3054880835:3054880835(0) win 4380 09:30:20.511974 IP 192.168.159.65.4541 > 194.140.77.184.80: . ack 1 win 65535 09:30:23.700792 IP 192.168.159.65.4541 > 194.140.77.184.80: S 3054880835:3054880835(0) win 4380 09:30:26.526090 IP 192.168.159.65.4541 > 194.140.77.184.80: . ack 1 win 65535 09:30:26.901044 IP 192.168.159.65.4541 > 194.140.77.184.80: S 3054880835:3054880835(0) win 4380 09:30:30.100874 IP 194.140.77.184.80 > 192.168.159.65.4541: R 1:1(0) ack 302 win 4681

     

    The page is not loaded yet.

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      Sep 03, 2013
      OK, so the pool member is now the firewall: 192.168.159.11 yes? What does the firewall rule look like please? Also, what type of VS have you configured, a standard one it would appear. Can you switch to a Performance (Layer 4) as this would be more appropriate.
  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    Yes !!! Now it is working !!!

     

    Thanks so much for your support !!!

     

    Regards

     

  • Edu_50128's avatar
    Edu_50128
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2013

    I changed the type of the Virtual Server from standar to Performance (Layer 4).

     

    Before as you recomended me, I changed the pool member removing the node I created and configuring the interface of the FW.

     

    Thanks so much again

     

    Regards,