Forum Discussion

Yonatan_Talmor's avatar
Yonatan_Talmor
Icon for Nimbostratus rankNimbostratus
Aug 20, 2017

forwarding IP VS: TCP resets

Hello This is a 2nd thread on an unresolved issue. I hope this case justifies a new thread due to the change of focus on the issue, from when originally asked to where it stands now. If unaccepted, I’ll respect that.

 

this is about a forwarding IP VS. normally works well, with the following exception:

 

when host(s) in a bridged network (external L3, bridge by F5) is initiating TCP connection to the target forwarding IP VS, it is responded by a random TCP port (not the port originally addressed) followed by a TCP reset initiated by the host(s) itself.

 

A workaround suggested by good people from this community, showed that when the forwarding VS is narrowed from a range to a single address (netmask 32), the issue is resolved, and no TCP resets are initiated by the hosts anymore. However this workaround is no good as a solution, because it may result in hundreds of VS, upon any new host in the network. Also, wasn’t helped by “"Source Port: Preserve Strict" "VLAN-keyed connections" already selected (thank you gersbah)

 

This issue is a major problem for us, would love to hear thoughts Thanks!

 

application delivery
BIG-IP
LTM

4 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 20, 2017

    Hi,

    before answering, I have a question:

    Do you really require bridge mode?

    when I read your question, I understood that hosts are in a VLAN, FWSM in another VLAN and you configured a VLAN group with these show VLANs.

    with this kind of configuration, I should have created a new network instead of trying to configure this weird configuration.

    In the previous thread, Chris Grant answered Bridge is difficult to troubleshoot... and it is true : You are wasting your time to configure something you can do differently!

    Now, let's try to solve the issue anyway.

    Your problem may be a loop problem between Active / Standby members if the VLAN group is not well configured. try to disable one of both network interfaces on the standby member...

    As I remember when I've done it 10 years ago,

    • you may create a Forwarding (Layer-2) VS instead of Forwarding IP.
    • The VLAN group must have 
      Bridge In Standby
      option unchecked if 
      Transparency Mode
      is opaque.
    • The VLAN group should have 
      Bridge In Standby
      option checked if 
      Transparency Mode
      is Transparent or translucent.
  • Yonatan_Talmor's avatar
    Yonatan_Talmor
    Icon for Nimbostratus rankNimbostratus
    Aug 23, 2017

    Stanislas Piron: your answer solved my case. Thank you! routing approach did the trick, no more TCP resets. I still think that bridging approach does make sense, and is even less complicated to set up. but: routing worked for me by the exact setup you explained, given that there's a default route with FWSM as a GW.

     

    Hi,

     

    You can use BIGIP as a router without SNAT.

     

    create 2 VLANS Host_VLAN FW_VLAN Create 2 Self IPs 10.1.1.2/24 in Host_VLAN 10.1.2.2/24 in FW_VLAN Create 2 floating IPs for routing 10.1.1.1/24 in Host_VLAN 10.1.2.1/24 in FW_VLAN Configure FW to route Host_VLAN through BIGIP 10.1.1.0/24 GW 10.1.2.1 configure Hosts to route All traffic through BIGIP 0.0.0.0/0 GW 10.1.1.1 Configure One Forwarding IP VS for Hosts destination 0.0.0.0/0 VLAN Host_VLAN protocol : * All protocols configure one Forwarding IP VS for FW destination 10.1.1.0/24 VLAN FW_VLAN protocol : * All protocols

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Aug 23, 2017

      I'm glad my solution solved your problem.

       

      About bridge mode, this seems more simple to setup, but with F5 like all other solution, it's a nightmare to manage!

       

      PS: if my solution solved the issue, mark it as solution instead of yours :-)

       

    • Yonatan_Talmor's avatar
      Yonatan_Talmor
      Icon for Nimbostratus rankNimbostratus
      Aug 24, 2017

      it was my intention to mark yours, but it was given as a comment, while the topic answer was not indicative of the solution. that's why I copied your response to a new answer, which I marked. but now I'll change it.