Outbound connections from behind F5

Question

We have two sets of virtual servers. Set A is for ports 80 and 443 attached to a self IP at x.x.1.20 on our public facing network, Set B is for 80 and 443 on x.x.2.31 on our public network.   
&nbsp;      
&nbsp;   Set A uses two hosts on a private network 10.1.106.0 in its resource pool. Set B uses two hosts on our x.x.1.0 public network in its resource pool.   
&nbsp;      
&nbsp;   I can make an outbound connection to any Internet address from a host in Set A's pool, eg:   
&nbsp;      
&nbsp;   uwcmmp1:/ telnet 208.185.32.185 80   
&nbsp;   Trying 208.185.32.185...   
&nbsp;   Connected to 208.185.32.185.   
&nbsp;   Escape character is '^]'.   
&nbsp;      
&nbsp;   I cannot make an outbound connection to any Internet address from the hosts in Set B's pool, eg:   
&nbsp;      
&nbsp;   blackboard-app1:/ telnet 208.185.32.185 80   
&nbsp;   Trying 208.185.32.185...   
&nbsp;   telnet: Unable to connect to remote host: Connection refused   
&nbsp;      
&nbsp;   Pool hosts in Set A have their default router set to the F5's 10.1.106.0 address (10.1.106.85), and those in Set B have it set to the F5's x.x.1.0 address (x.x.1.43).   
&nbsp;  
&nbsp; Furthermore there are two SNATs defined. One translates connections from the 10.1.106 network to the x.x.1.20 address, and the other translates connections from the x.x.1.0 network hosts to x.x.2.31. 
&nbsp;      
&nbsp;   What differences should I be looking for in my configuration? Any obvious problems?   
&nbsp;      
&nbsp;

dennypayne · Answer

My first thought is that whatever the LTM's default gateway is doesn't know how to route x.x.1.0 addresses back to the LTM.  I would run  tcpdump -i  host 208.185.32.185  while you attempt the telnet to see if you can see the traffic coming and going. 
  
 Denny

copelanda_17428 · Answer

Here are two tcpdumps of the same connection. 
&nbsp;  
&nbsp; The connection is from host 130.68.1.212 - which is behind our LTM, being SNATed as 130.68.2.31 to "the world" - to 208.185.32.185 on port 80 (our host out on "the internet").  
&nbsp;  
&nbsp; The first tcpdump is capturing traffic on our vlan "subnet_2" which is associated with all 130.68.2.0 addresses.  
&nbsp;  
&nbsp; The second tcpdump is capturing traffic on our vlan "public_inet" which is associated with all 130.68.1.0 addresses. 
&nbsp;  
&nbsp; from vlan "subnet_2" (130.68.2.0) 
&nbsp;  
&nbsp; reading from file tcpdump_12316.dmp, link-type EN10MB (Ethernet) 
&nbsp; 10:34:10.739185 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 &gt; 130.68.2.31.64384: S, cksum 0x1576 (correct), 246177326:246177326(0) ack 3791885143 win 1460  
&nbsp; 10:34:10.739212 IP (tos 0x0, ttl 255, id 7382, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 &gt; 208.185.32.185.80: R, cksum 0x5bf3 (correct), 1:1(0) ack 1 win 0 
&nbsp; 10:34:12.500509 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 &gt; 130.68.2.31.64396: S, cksum 0xac86 (correct), 259263702:259263702(0) ack 253042618 win 1460  
&nbsp; 10:34:12.500533 IP (tos 0x0, ttl 255, id 11571, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64396 &gt; 208.185.32.185.80: R, cksum 0xf303 (correct), 1:1(0) ack 1 win 0 
&nbsp; 10:34:14.107204 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 &gt; 130.68.2.31.64384: S, cksum 0xb1c5 (correct), 249545131:249545131(0) ack 3791885143 win 1460  
&nbsp; 10:34:14.107228 IP (tos 0x0, ttl 255, id 15250, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 &gt; 208.185.32.185.80: R, cksum 0xf842 (correct), 1:1(0) ack 1 win 0 
&nbsp; 10:34:14.115202 IP (tos 0xc0, ttl 242, id 7741, offset 0, flags [none], proto ICMP (1), length 68) 208.185.32.185 &gt; 130.68.2.31: ICMP host 208.185.32.185 unreachable - admin prohibited, length 48 
&nbsp; IP (tos 0x0, ttl 244, id 15250, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64384 &gt; 208.185.32.185.80: R, cksum 0x8251 (correct), 1582045095:1582045095(0) ack 1 win 0 
&nbsp; 10:34:15.867192 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 52) 208.185.32.185.80 &gt; 130.68.2.31.64396: S, cksum 0x4ea1 (correct), 262630024:262630024(0) ack 253042618 win 1460  
&nbsp; 10:34:15.867216 IP (tos 0x0, ttl 255, id 18971, offset 0, flags [DF], proto TCP (6), length 40) 130.68.2.31.64396 &gt; 208.185.32.185.80: R, cksum 0x951e (correct), 1:1(0) ack 1 win 0 
&nbsp;  
&nbsp; from vlan "public_inet" (130.68.1.0) 
&nbsp;  
&nbsp; reading from file tcpdump_12362.dmp, link-type EN10MB (Ethernet) 
&nbsp; 10:38:52.761141 IP (tos 0x0, ttl 64, id 2785, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.212.64729 &gt; 208.185.32.185.80: S, cksum 0x20b3 (correct), 1826467050:1826467050(0) win 49640  
&nbsp; 10:38:52.761186 IP (tos 0x0, ttl 63, id 2785, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.64729 &gt; 208.185.32.185.80: S, cksum 0x2068 (correct), 1826467050:1826467050(0) win 49640  
&nbsp; 10:38:53.013422 IP (tos 0x0, ttl 64, id 33625, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.216.54519 &gt; 208.185.32.185.80: S, cksum 0x61a0 (correct), 3742572965:3742572965(0) win 49640  
&nbsp; 10:38:53.013439 IP (tos 0x0, ttl 63, id 33625, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.54519 &gt; 208.185.32.185.80: S, cksum 0x6159 (correct), 3742572965:3742572965(0) win 49640  
&nbsp; 10:38:56.130563 IP (tos 0x0, ttl 64, id 2786, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.212.64729 &gt; 208.185.32.185.80: S, cksum 0x20b3 (correct), 1826467050:1826467050(0) win 49640  
&nbsp; 10:38:56.130580 IP (tos 0x0, ttl 63, id 2786, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.64729 &gt; 208.185.32.185.80: S, cksum 0x2068 (correct), 1826467050:1826467050(0) win 49640  
&nbsp; 10:38:59.772311 IP (tos 0x0, ttl 64, id 33626, offset 0, flags [DF], proto TCP (6), length 52) 130.68.1.216.54519 &gt; 208.185.32.185.80: S, cksum 0x61a0 (correct), 3742572965:3742572965(0) win 49640  
&nbsp; 10:38:59.772329 IP (tos 0x0, ttl 63, id 33626, offset 0, flags [DF], proto TCP (6), length 52) 130.68.2.31.54519 &gt; 208.185.32.185.80: S, cksum 0x6159 (correct), 3742572965:3742572965(0) win 49640  
&nbsp; 10:39:01.016667 IP (tos 0x0, ttl 255, id 23769, offset 0, flags [DF], proto TCP (6), length 40) 208.185.32.185.80 &gt; 130.68.1.212.64729: R, cksum 0x2353 (correct), 0:0(0) ack 1826467051 win 0 
&nbsp; 10:39:07.116736 IP (tos 0x0, ttl 255, id 32785, offset 0, flags [DF], proto TCP (6), length 40) 208.185.32.185.80 &gt; 130.68.1.216.54519: R, cksum 0x6440 (correct), 0:0(0) ack 3742572966 win 0 
&nbsp;  
&nbsp;  
&nbsp;  &nbsp;

Forum Discussion

Outbound connections from behind F5

2 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

Behavior of outbound DNS query from LTM behavior

Troubeshooting website connection

Lightboard Lessons: SSL Outbound Visibility