Short Version :
Why Big IP delete some route when establishing VPN connection ?
This impact “Docker Desktop for Windows” by blocking any communication with docker container because TCP/IP route to reach container is delete by Big IP.
Long Version :
Context: Docker is use to run application (Microsoft SQL Server) in container. Communication with container is done by NAT interface create by Docker.
Issue description: Unable to connect to my Docker Container when Big IP is running.
Overview : When I start new docker container that contains SQL Server, I can connect on it and execute SQL Query… but if I’m starting Big IP to connect on ICN, no connection to my Docker container that running SQL Server is possible…. even if my container still to run (and SQL server too)
Root cause: TCP/IP Route to my Docker container is delete by Big Ip.
Step by step to reproduce
Step 1 : Start my Docker container
docker run -e "ACCEPT_EULA=Y" --name MyLocalServer -p 1433:1433 -e "SA_PASSWORD=XXXXX" -d microsoft/mssql-server-windows-developer
Step 2 : Able to connect to SQL located in Docker container
Step 3 : Docker network details
Return technical information about network subnet for my docker container.
Step 4 : Route table before VPN connection
We see the route for my container
Step 5 : When connecting my VPN, Big IP remove route for my Docker container
Big IP log :
Step 6 : Route table appear like this after VPN connection established
Note : route for 172.29.48.0/20 disappear
Step 7 : Now, unable to connect on SQL Container
Got following error “A network-related or instance-specific error has occurred while establishing a connection to SQL Server.”
Step 8 : When I disconnect my VPN, deleted routes are restore by Big IP
Step 9 : And, now, access to my SQL is possible
Conclusion
Big IP removing routes that allow communication with Docker Container.
I have try to:
#1 : Add route manually after Big Ip connection with following command:
*route add 172.29.48.0 mask 255.255.240.0 0.0.0.0 METRIC 10 IF 34*
… but Big IP remove new entry in routing table automatically as previously seen when BIG IP Connecting.
#2 : I try to change range of IP user by Docker to access container to use 192.168.1.x (previously : 172.29.48.0)
But as previously, Big IP remove route for this range too :
This question is for your network administrator, who probably only follows the security policy of the company giving you the VPN access.
Based on K49720803: BIG-IP Edge Client operations guide | Chapter 3: Common approaches to configuring VPN, you would ask for disabling the Prohibit routing table changes option or maybe try adding a second network card dedicated to your Docker, with hopes it would not be managed by the VPN client at all - but I didn't try.