Outbound TCP port 21 through SNAT

Question

BIGIP version 12.1.1 HF1&nbsp;
Issue: SNAT is not building server-side connections for a TCP session destined to port 21&nbsp;
A colleague was troubleshooting a customer complaint of an FTP connection not working. The source of traffic is an internal, privately-addresses server that is in a SNAT origin list. The destination is an external server that the BIGIP can reach via the default route. Basic IP connectivity had been confirmed via traceroute, which does work through the SNAT.&nbsp;
Tried a basic TCP connection (using Cisco ASA 'tcp ping' utility...it simply sends a TCP SYN, expects a SYN/ACK, then resets the connection). For connections to port 21, the BIGIP receives the traffic (confirmed via tcpdump) but does not build the server-side connection (observed both via tcpdump and the connection table). However trying to a different port using same source/destination is successful. Also tried using a different source address (destination port 21) which failed. Issue appears to follow the destination port.&nbsp;
Did some searching through  and DevCentral but do not see the same issue addressed. Anyone run into this issue and have an explanation?&nbsp;

leonardo_souza3 · Answer

F5 unit is deny default unit (there are exceptions like AFM, anyway...), means you need to have a listener to handle the traffic and then open the server side connection if configured for that.&nbsp;
SNAT is listener, but you first need to make sure that is the SNAT that is handling the connection and not another listener.
You can take the tcpdump with extra information, and you will be able to see which listener is handling the connection.&nbsp;
Information about that:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html&nbsp;
https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html&nbsp;
If you just want the solution :P, here is the bug you are probably facing:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/k/33/sol33645643.html&nbsp;
There is no workaround in the solution, but it does says that does not affect a virtual server with SNAT.
So, just use a virtual server with SNAT pool and FTP profile.&nbsp;

ed_summers · Answer

F5 Support confirmed it is the bug addressed by the solution article you mentioned. Affects 12.1.0 - 12.1.1.  We actually found this SOL article prior to contacting support, but the language used in the article (the active language "configured the BIG-IP system to process FTP control channel connections using only a SNAT object") made me want to research further.&nbsp;
Accepting your answer - you win the cookie today.&nbsp;

leonardo_souza3 · Answer

lol cookie accepted.&nbsp;

Forum Discussion

Outbound TCP port 21 through SNAT

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Behavior of outbound DNS query from LTM behavior

Lightboard Lessons: SSL Outbound Visibility

Multiple Port Load Balancing

Response port masking