Hi, I've identified the problem. In fact the bigip is answering with a destination MAC which is the real MAC of the firewall node from which the paquet was coming and not the virtual one. So I think that this is the problem. Sometimes the other node woul like to forward the paquet and the first node just drops it, but as the bigip is not sending the frame to the multicast mac, this one never reaches the second node :(
First problem is that Cluster XL multicast doesn't send frames with source mac = virtual mac but with the real one (this might be corrected in recent versions ...). Second problem is that Bigip doesn't send frames to the virtual, but to the real mac. I'm gonna check with F5 bigip support team to see if we can change this behaviour. I've noticed that when sending frames directly from the bigip the are sent to the virtual MAC ... But when these frames are answers to other ones they go to the real mac ... In any cas, thanks for replying. Best regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -----Message d'origine----- > De : Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] De la > part de Andrew Smaff Matthews > Envoy� : mercredi 18 mai 2005 11:53 > � : [email protected] > Objet : Re: [FW-1] FW1 and BIGIP problem > > On Tue, May 17, 2005 at 05:29:31PM +0200, S�bastien Cantos wrote: > > Hi, > > > > I'm running NG FP3 and Cluster XL (multicast mode) on Linux > platform. I've > > something setup like this : > > > > WAN NET1 NET2 > > --- FW --- BIGIP (load balancer) --- FTPD > > > > I've a problem with active FTP. When a client connects and do a PORT > > command, it is silently droped by the firewalls (one time every 2 > > connexions). I see the FTPD sending the Syn, nating this > Syn. Then the Syn > > comes to the lan interface of the firewall but never reaches the Wan > > interface of the firewall. > > > > Clients are connecting to an ip in routed to the firewall > then nated. > > For example : > > 1/ client connects to 10.10.10.1 (Static nat on the firewall) > > 2/ Firewall do Destination NAT and send packets to a VIP on > the BIGIP > > (192.168.20.10) > > 3/ Bigip do Destination NAT and join the FTPD (192.168.21.10) > > > > I don't understand why the firewall is droping the ftp-data syn. > > Is there a way to look at this on the firewalls ? I did > notice nothins on > > smartview tracker .... > > > This is, I suspect, because FTP is an evil protocol :> > > The port command tells the ftpd to make a connection to > <client_IP> on a > given high-port. Firewall-1 picks this up and dynamically > adds a rule that > says: > > from SvrIP:20 to client_IP:<high_port> tcp allow. > > Now, you're NATing the SvrIP twice. Is the source IP of the > packet which > gets dropped by the firewall 192.168.21.10, 192.168.20.10 or > 10.10.10.1? > > If its the first, you need to get the bigIP to NAT the > outgoing connection - > note you can actually use HIDE nat here if you need to. > If its the 2nd (or you've tried the first and it still > doesn't work), then > you need to make sure their is a static map: > org. src: 192.168.20.10 -> trans. src: 10.10.10.1 > org. dst: = -> trans. dst: = > > Beyond that, I can't say as you've not provided any firewall logs. > > Smaff > > > -- > You happen to be here, now. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
