Forum Discussion

Ashish_Jais_668's avatar
Ashish_Jais_668
Icon for Nimbostratus rankNimbostratus
Oct 01, 2014

RESET packets in Asymmetric routing Mode

We have asymmetric routing environment where F5 is one of the gateway of server, because of this we were not able to connect to server directly that are behind the f5. We fixed the problem using custom FastL4 profile with Loose Initiation and Loose Close enabled solution on http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13558.htmlcreating.

 

But in this scenario F5 is not passing the RESET packet that server is sending to client for a non-listening port request. Below is the captures from different interfaces of F5 where it can be seen, server 10.212.152.126 is sending reset on internal VLAN interface STG-INTERNAL-APP-SERVER side but F5 is not sending out to external interface STG-INTERNAL-APP-VIP.

 

Any idea if F5 doesn't forward the reset packets when it doesn't see original syn against the passing the ack in the same scenario.

 

tcpdump -i STG-INTERNAL-APP-SERVER port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on STG-INTERNAL-APP-SERVER, link-type EN10MB (Ethernet), capture size 96 bytes 14:01:01.949710 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1706793690 win 0 14:01:04.957670 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1 win 0 14:01:10.955519 IP 10.212.152.126.ardusmul > 172.26.2.100.50812: R 0:0(0) ack 1 win 0

 

tcpdump -i STG-INTERNAL-APP-VIP port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on STG-INTERNAL-APP-VIP, link-type EN10MB (Ethernet), capture size 96 bytes

 

4 Replies

  • Not sure about your current issue but you should be aware tcpdump does not capture all packets when FastL4 is in operation. The only way to ensure you capture all traffic is to specify a physical interface (rate limited to 200pps) or change the VS back to a standard one.

     

    Regarding your original problem you can enable asymmetric routing by disabling VLAN Keyed Connections as follows;

     

    Menu path: System > Configuration > Local Traffic > General

     

  • Yes, I have enabled asymmetric routing and able to connect the servers without any problem when communicating on any listening service/port. But when server send RESET to the client, RESET packet never reach to the client.

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      OK, cool. Did you read my notes on tcpdump and the fact it won't capture all traffic?
  • Its VIPRION guest and have link aggregation, I cant select interfaces. However, I ran on all interfaces. RESET packets are being received on internal VLAN (571) from server 10.212.152.126 but not being sent to client.

     

    -ltm01:/S2-green-P:Active:In Sync] ~ tcpdump -nnpei 0.0 port 1835 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes

     

    09:35:07.038139 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 2959145280 win 0

     

    09:35:10.041718 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 1 win 0

     

    09:35:16.039625 00:14:4f:fa:73:81 > 00:23:e9:68:29:a2, ethertype 802.1Q (0x8100), length 58: vlan 571, p 0, ethertype IPv4, 10.212.152.126.1835 > 172.26.2.62.62309: R 0:0(0) ack 1 win 0