Forwarding IP VS not returning packets

Question

Hi all,&nbsp;
  I apologize for posting what has probably been asked before, but my search-fu seems to be completely failing me at the moment.&nbsp;
  I'm trying to set up an F5 LTM (11.3) as a gateway for a particular subnet (172.16.88.224/28). The external switch/router has a static route pointing this network to the external address of the F5 cluster (128.6.31.124). The F5, in turn, has a forwarding IP virtual_server setup for the network, allowing all traffic in. (The purpose is to be able to reach hosts on that network directly via SSH or RDP.) However, I cannot get it working right. According to tcpdump, the packets are being received on the internal network interface of the F5, and being passed along to the client. The client responses are coming back to the F5, as expected (the servers all have the proper gateway, 172.16.88.225, setup. However, those return packets are *NOT* making it back through the F5 (ie. from the internal interface to the external interface). I'm assuming I have something configured wrong somewhere, but I can't see what.&nbsp;
  I've attached stripped-down versions of bigip.conf and bigip_base.conf with the relevant network and virtual sever information.&nbsp;
  If anyone can help me, I'd really appreciate it; I've been fighting this for several days, and haven't found any documentation, advice, or forum posts that address precisely my problem.&nbsp;
 &nbsp;
  Thanks.&nbsp;

what_lies_bene1 · Answer

Sorry but can you point out which VS, RD etc. relates to your issue please? 
&nbsp;  
&nbsp; Sounds like either a plain routing issue or asymmetric routing is occurring perhaps.

joe_l_ · Answer

The External interface is 128.6.31.124, which is the floating traffic-group IP between the active-passive failover F5 pair. The internal network is 172.16.88.224/28, on VLAN "Adobe_Connect". The F5 floating IP on that interface is 172.16.88.225, which is also set to the primary gateway address on all servers attached to that network. The default route for the F5 traffic (non-management) is 128.6.31.65, located on the External net. 
&nbsp;  
&nbsp; The forwarding VS is "Adobe-Connect_Net", defined as follows: 
&nbsp;  
&nbsp; ltm virtual /Common/Adobe-Connect_Net { 
&nbsp;     description 172.16.88.224/28 
&nbsp;     destination /Common/172.16.88.224:0 
&nbsp;     ip-forward 
&nbsp;     mask 255.255.255.240 
&nbsp;     profiles { 
&nbsp;         /Common/AC_Net_fastL4 { } 
&nbsp;     } 
&nbsp;     source 0.0.0.0/0 
&nbsp;     translate-address disabled 
&nbsp;     translate-port disabled 
&nbsp;     vlans-disabled 
&nbsp; } 
&nbsp;  
&nbsp; ltm profile fastl4 /Common/AC_Net_fastL4 { 
&nbsp;     app-service none 
&nbsp;     defaults-from /Common/fastL4 
&nbsp;     idle-timeout 300 
&nbsp;     ip-tos-to-client pass-through 
&nbsp;     ip-tos-to-server pass-through 
&nbsp;     keep-alive-interval disabled 
&nbsp;     link-qos-to-client pass-through 
&nbsp;     link-qos-to-server pass-through 
&nbsp;     loose-close enabled 
&nbsp;     loose-initialization enabled 
&nbsp;     mss-override 0 
&nbsp;     reassemble-fragments disabled 
&nbsp;     reset-on-timeout enabled 
&nbsp;     rtt-from-client disabled 
&nbsp;     rtt-from-server disabled 
&nbsp;     software-syn-cookie disabled 
&nbsp;     tcp-close-timeout 5 
&nbsp;     tcp-generate-isn disabled 
&nbsp;     tcp-handshake-timeout 5 
&nbsp;     tcp-strip-sack disabled 
&nbsp;     tcp-timestamp-mode preserve 
&nbsp;     tcp-wscale-mode preserve 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; To clarify what I said in the prevoius message, packets (ping, SSH, etc) are arriving at the External interface of the F5, and being properly passed to the Adobe_Connect internal interface. Reply packets from the servers on that network, however, are *NOT* being passed back the other way. (ie. The Adobe_Connect interface sees the packets, but according to tcpdump, they aren't being passed back to the External interface.) &nbsp;

what_lies_bene1 · Answer

OK, I see the issue, the VS on the internal network needs to be 0.0.0.0:0, not 172.16.88.224:0. Remember the VS is the destination, not the source.

joe_l_ · Answer

Posted By What Lies Beneath on 05/13/2013 11:28 AM&nbsp;
OK, I see the issue, the VS on the internal network needs to be 0.0.0.0:0, not 172.16.88.224:0. Remember the VS is the destination, not the source.
&nbsp;
Unfortunately, that doesn't seem to work either. The result is the same.&nbsp;
As an additional datapoint, here's what it looks like if I try to ping or SSH from my workstation to a server behind the F5:&nbsp;
 &nbsp;
[user@f5lb-1:Active] ~  tcpdump -i Adobe_Connect -n host 128.6.210.75&nbsp;
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode&nbsp;
listening on Adobe_Connect, link-type EN10MB (Ethernet), capture size 96 bytes&nbsp;
14:38:03.654655 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 0, length 64&nbsp;
14:38:04.655426 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 1, length 64&nbsp;
14:38:05.656156 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 2, length 64&nbsp;
14:38:06.657307 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 3, length 64&nbsp;
14:38:07.658310 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 4, length 64&nbsp;
14:38:08.659407 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 5, length 64&nbsp;
14:38:09.660519 IP 172.16.88.227 &gt; 128.6.210.75: ICMP echo reply, id 52897, seq 6, length 64&nbsp;
14:38:14.462946 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 3909000084 win 0&nbsp;
14:38:15.468394 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 1 win 0&nbsp;
14:38:16.573520 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 1 win 0&nbsp;
14:38:17.674576 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 1 win 0&nbsp;
14:38:18.777940 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 1 win 0&nbsp;
14:38:19.885833 IP 172.16.88.227.ssh &gt; 128.6.210.75.49178: R 0:0(0) ack 1 win 0&nbsp;
^C&nbsp;
13 packets captured&nbsp;
13 packets received by filter&nbsp;
0 packets dropped by kernel&nbsp;
 &nbsp;
So, obviously, the server is receiving the initial packets and trying to respond. The External interface, however, shows nothing being sent out; neither does the switch it is connected to, for that matter. Just for testing, I also setup packet filtering rules; the logs indicate that packets in both directions (from my workstation to the server, and vice-versa) are being accepted, not dropped. So there's something between the transition from Adobe_Connect to External that's getting dropped somewhere, it appears. Do I need to add a specific route or something similar to that network, to direct it out the External interface?&nbsp;

Forum Discussion

Forwarding IP VS not returning packets

4 Replies

Recent Discussions

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

The return of DevCentral CodeShare.

Automating Packet Captures on BIG-IP

F5 packet buffer