Forum Discussion

legan's avatar
legan
Icon for Nimbostratus rankNimbostratus
Oct 23, 2019

F5 Big-IP seems to send RST packet on behalf of APM client

Hello,

 

I have a requirement from our business where people need to be able to use some service on the internet directly.

I don't want to use a split tunnel.

 

The setup is as follows (IPs are examples):

 

- APM clients have IPs in range 10.1.1.0/24

- Big-IP has internal IP 10.1.10.10

- Big-IP has external IP 5.5.5.5

- IP that has to be reached directly on the internet 6.6.6.6

- NAT address for clients 5.5.5.6

 

Now, when I set this up, I see the following:

 

- client 10.1.1.1 tries to connect to IP address 6.6.6.6

- traffic passes through the F5 

- traffic arrives at firewall, firewall NATs the traffic (10.1.1.1 --> 6.6.6.6 is translated to 5.5.5.6 --> 6.6.6.6)

- response from 6.6.6.6 arrives at firewall and is translated back (6.6.6.6 --> 5.5.5.6 is translated to 6.6.6.6 --> 10.1.1.1)

- packet arrives at F5

 

And there is stops...

All of the above is verified with packet captures.

 

The SYN-ACK packet from 6.6.6.6 --> 10.1.1.1 arrives at the F5, but never at the client.

Moveover, the F5 sends a RST-ACK message back to 6.6.6.6 with source IP 10.1.1.1.

 

Any idea what could be the cause of this issue?

Why doesn't the F5 send the SYN-ACK to the client? It does arrive at the F5.

 

Thanks.

6 Replies

  • Hi

     

    Do you have the same behaviour with a simple PING ?

     

    Wondering whether it could be a TCP port preservation problem ?

     

    Yoann

  • legan's avatar
    legan
    Icon for Nimbostratus rankNimbostratus

    Thank you.

     

    'Preserve source port strict' is enabled and I also see the response going back to the same port as the client initiated.

     

    With the workaround, I'm still using split tunneling, but I will give that a try.

     

     

  • legan's avatar
    legan
    Icon for Nimbostratus rankNimbostratus

    No, there's no virtual server on that IP.

    Thank you for the RST debugging link.

    I will try that.

    For the time being I have used the solution from K71545523, which has resolved the issue for now.

    • ZANOOB's avatar
      ZANOOB
      Icon for Cirrus rankCirrus

      Hello ,

      I have come into the same issue where the APM is sending RST to the tcp traffic , where are my VPN client has sent only tcp retrsmission packet.

      Why is APM sending TCP RESET on behlaf of the client and my connect. Is there anythign specific that you changed on https://support.f5.com/csp/article/K71545523 . This article is not availabel anymore.