Forum Discussion

Neil8319's avatar
Neil8319
Icon for Nimbostratus rankNimbostratus
Apr 14, 2017

F5 as Default Gateway Routing issue

Hi All, I'm having an issue where a certain client needs to connect directly to a node behind F5 ie bypassing the F5.

 

The issue I have is that the node has a default Gateway of f5 and it receives a tcp reset after the syn, syn ack, I think its an asymetric routing issue. This is easily resolved by adding a static route on the node for this client to route the traffic back to the firewall essentially cutting F5 out of the communication. I need to know if there is a way of routing this traffic back through F5 without the need for a static route on the node?

 

After some research on this site I created an forwarding IP virtual server with a customized fastl4 profile to include loose initiation and close, also disabling reset on timeout and disabled keyless vlan as this suggested it may solve my issue but no joy.

 

this is what the tcpdump shows 11:35:40.383164 IP 10.1.1.22.48470 > 192.168.1.10.104: SWE 4242789294:4242789294(0) win 8192 11:35:40.383203 IP 192.168.1.10.104 > 10.1.1.22.48470: R 0:0(0) ack 4242789295 win 0

 

application delivery
BIG-IP
LTM

6 Replies

Sort By
  • Neil8319's avatar
    Neil8319
    Icon for Nimbostratus rankNimbostratus
    Apr 18, 2017

    For anyone who happens to read this I found that if I changed the destination to anything other than a wildcard 0.0.0.0 the routing works. In the example above I changed the destination to be 192.168.1.0/24 on my outbound forwarding ip server and the routing works.

     

    It seems my version of F5 does not work with a wildcard destination of 0.0.0.0

     

    • Neil8319's avatar
      Neil8319
      Icon for Nimbostratus rankNimbostratus
      Apr 18, 2017

      I thought it was possible to have a completely open ip forwarding virtual server listening on the internal vlan as many of the articles on this site seem to suggest. ie source 0.0.0.0/0 and destination 0.0.0.0/0.

       

      it's obviously not the case. In anycase my issue is resolved.

       

    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      Apr 18, 2017

      I mistook your word wildcard to mean *. You are using 0.0.0.0 and that's fine. Their must be something else causing you a problem. I am glad to hear it is resolved.

       

  • koheed_51878's avatar
    koheed_51878
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2018

    I had the same issue which I resolved by setting the destination to 0.0.0.0/0.

     

    I initially didn't have the mask set which unfortunately the System still accepted.

     

    ie. 0.0.0.0 = fail 0.0.0.0/0 = win

     

    • koheed_51878's avatar
      koheed_51878
      Icon for Nimbostratus rankNimbostratus
      Sep 03, 2018

      From a cli interface the difference is the "mask" setting. Not sure why the F5's will accept 0.0.0.0/32 but there it is: ltm virtual wildcard-forwarding {

       

      destination 0.0.0.0:any

       

      ip-forward

       

      ip-protocol tcp

       

      mask 255.255.255.255

       

      partition GEN

       

      }

       

      ltm virtual wildcard-forwarding {

       

      destination 0.0.0.0:any

       

      ip-forward

       

      ip-protocol tcp

       

      mask any

       

      partition GEN

       

      }