Strange issue with SNAT stats, pinging self IP and Allow None
Hi,
I am running out of ideas why BIG-IP behaves as in cases described below, either it's my lack of knowledge, expected behavior or bug.
Tested on v11.2.0HF7 Active-Passive cluster.
Case 1 - SNAT stats increased even if SNAT object not used
-
SNAT object defined with:
- Origin: 10.128.30.0/24 - internal VLAN subnet
- Translate: SNAT pool with 10.129.10.40 - ip from external VLAN subnet
- Enabled on: internal VLAN
-
Wildcars VS defined with:
- Performance L4
- All ports
- All protocol
- SNAT: Automap (using floating self IP 10.129.10.13)
- Enabled on: internal VLAN (10.128.30.0/24)
- Pool with member pointing to IP defined as well as default gateway in Routes - 10.129.10.2
- Ping performed from 10.128.30.152 IP to 10.129.10.2
Results:
- tcpdump reports that ping is processed by wildcard VS
-
Flows created:
- 10.128.30.152 -> 10.129.10.2
- 10.129.10.13 (floating self IP) -> 10.129.10.2
- SNAT object stats are increased when ping is send
If SNAT object is set to Enabled on with empty Selected stats are not increased.
Question is why SNAT object stats are increased if packets are processed by wildcard VS and src IP on external VLAN is translated to floating Self IP (10.129.10.13) not SNAT object IP (10.129.10.40)
Case 2 - ping from internal VLAN to external self IP receives replies
Same setup as above
- Ping from 10.128.30.152 to 10.129.10.10 (self IP on external VLAN)
- No VS defined with 10.129.10.10 IP at all
Results:
- Ping is answered
- tcpdump reports wildcard VS as the one processing ping
If:
- Floating self IP is pinged (10.129.10.13), still wildcard is listed as listener processing ping but there is no reply
- Any other self IP from other configured VLANs is pinged - as above - no answer
Why self IP on external VLAN replies to pings?
Case 3 - Allow none set on VLAN used for Mirroring and Config sync
According to all articles and manuals I saw, there are port exceptions no matter what Port Lockdown is set for self IP. Those are Mirroring port (1028), Config Sync port (4353) and ICMP.
For HA related ports,t there is as well note that those are open for packets received from peer IP - at least that is my understanding.
Scenario:
- telnet from internal VLAN host - 10.128.30.152 - (both Config Sync and Mirroring are configured to use internal VLAN self IP) is launched to port 4353
- tcpdump shows that there is proper 3WHS performed between host and self IP
- telnet from internal VLAN host to self IP port 1028 is launched
- immediately BIG-IP sends RST
Why 4353 is accepting connection and 1028 is not - both connections are performed from the same IP - one that is not peer IP.
That could be especially in case of Config Sync port. If anyone in the same network as self IP used for Config Sync can setup TCP connection, then he can as well send crafted packets that will break syncing process - at least it seems so.
So port exceptions in HA are accepting connections only from peer IP or from any IP in the same subnet as self IP?
Piotr