locked
Edge AV DMZ IP sending to Edge AV NAT IP & private subnet traffic egressing the external interface... RRS feed

  • Question

  • Good morning

    I am seeing behavior on an Edge server which I am not accustomed to seeing, and I have not been able to reproduce on other environments.

    When trying to establish a media session (A/V or content share) from internal->external or external->internal, we see the internal client list sending all internal IPs for the candidate list, which is fine. Then the external client sends its candidate list, which includes the public IP of the AV service (47.X.X.X). At this point things behave strangely.

    1. The internal client, who sends a request to 47.X.X.X, gets no responses from the server.

    2. The server responses to the internal client egress the external DMZ interface - which is never going to reach the client, who is internal. Based on the persistent routes, we would expect this traffic to egress the internal interface. It does not. 

    3. The server attempts to send a TURN packet to its own public IP. 

    At the moment, A/V is broken and the behavior here is extremely confusing. I understand that the solution to point 3 would be creating some extra NAT configurations and hairpin the traffic back to the AV DMZ IP, but in my testing on other environments, this is never attempted, so I don't love the idea of adding this configuration until I understand why it's happening here and not other edge servers.

    More importantly, why is the traffic destined to the internal client egressing the external AV IP?

    Thursday, February 16, 2017 7:03 PM

All replies

  • Since you mentioned persistent routes, I am assuming the routes for 172.18.XX.XX are routed to the internal gateway. Do verify the subnet masks based on your subnet in the persistent routes. It could be a silly typo in the persistent route. Also verify by doing a tracert from the Edge server to the internal client's IP that it is taking the intended route. Do this on all the Edge servers if you have a pool.

    Secondly, double check the HOSTS file on the edge servers.

    Lastly, make sure there is no default gateway specified on the internal  adapter of the Edge server.

    Good luck!


    My Blog : http://www.theskypeguy.com

    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you have asked, please mark the thread as answered to aid others when they are looking for solutions to similar problems or queries.

    • Proposed as answer by Alice-Wang Friday, February 17, 2017 6:57 AM
    Friday, February 17, 2017 12:30 AM