Big IP remove tcp/ip route and block communication to Docker Container

780 views Asked by At

Short Version :

Why Big IP delete some route when establishing VPN connection ?

This impact “Docker Desktop for Windows” by blocking any communication with docker container because TCP/IP route to reach container is delete by Big IP.

Long Version :

Context: Docker is use to run application (Microsoft SQL Server) in container. Communication with container is done by NAT interface create by Docker.

Issue description: Unable to connect to my Docker Container when Big IP is running.

Overview : When I start new docker container that contains SQL Server, I can connect on it and execute SQL Query… but if I’m starting Big IP to connect on ICN, no connection to my Docker container that running SQL Server is possible…. even if my container still to run (and SQL server too)

Root cause: TCP/IP Route to my Docker container is delete by Big Ip.

Step by step to reproduce

Step 1 : Start my Docker container

docker run -e "ACCEPT_EULA=Y" --name MyLocalServer -p 1433:1433 -e "SA_PASSWORD=XXXXX" -d microsoft/mssql-server-windows-developer

Step 2 : Able to connect to SQL located in Docker container

enter image description here

Step 3 : Docker network details

Return technical information about network subnet for my docker container.

enter image description hereStep 4 : Route table before VPN connection

We see the route for my container

enter image description hereStep 5 : When connecting my VPN, Big IP remove route for my Docker container

Big IP log :

enter image description here

Step 6 : Route table appear like this after VPN connection established

Note : route for 172.29.48.0/20 disappear

enter image description here

Step 7 : Now, unable to connect on SQL Container

Got following error “A network-related or instance-specific error has occurred while establishing a connection to SQL Server.”

enter image description here

Step 8 : When I disconnect my VPN, deleted routes are restore by Big IP

enter image description here

Step 9 : And, now, access to my SQL is possible

enter image description here

Conclusion

Big IP removing routes that allow communication with Docker Container.

I have try to:

#1 : Add route manually after Big Ip connection with following command:

  *route add 172.29.48.0 mask 255.255.240.0 0.0.0.0 METRIC 10 IF 34*

… but Big IP remove new entry in routing table automatically as previously seen when BIG IP Connecting.

enter image description here

#2 : I try to change range of IP user by Docker to access container to use 192.168.1.x (previously : 172.29.48.0)

enter image description here

But as previously, Big IP remove route for this range too :

enter image description here

1

There are 1 answers

0
Eugène Adell On

This question is for your network administrator, who probably only follows the security policy of the company giving you the VPN access.

Based on K49720803: BIG-IP Edge Client operations guide | Chapter 3: Common approaches to configuring VPN, you would ask for disabling the Prohibit routing table changes option or maybe try adding a second network card dedicated to your Docker, with hopes it would not be managed by the VPN client at all - but I didn't try.