Forum Discussion
1qaz
Nimbostratus
Nimbostratusa problem about get source address through X-forward-for
I have a question, my VS is useing snat, with X-forward-for in http_profile, but I see some source addresses are not obtained? I also noticed that all the lost source addresses are okhttp,why?
Thanks for any help!
Sachin-GargAltostratus
OkHttp is an HTTP client that's efficient by default: ... If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails.
Could you please share what kind of VS config is there.
Please run this command
list ltm virtual <name-of-VS> details
1qazthanks to Sachin-Garg,
list ltm virtual VS_CRM_NLFK_9080
ltm virtual VS_CRM_NLFK_9080 {
destination 134.175.22.206:glrpc
ip-protocol tcp
mask 255.255.255.255
pool Pool_CRM_NLFK_9080
profiles {
http_yuanIP { }
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 131
}
- Sachin-Garg
- You said , you are suing SNAT but i can see its Automap(which will use the self ip of your internal interface to source nat the source IP address), you can also use any static IP instead of Automap in case you want to use that IP to be used for SNAT Purpose. Just in case but this one also ok if it is not causing any issue,
- Can you please share the details of your http profile by running following commands in tmsh mode
- list ltm profile http http_yuanIP details
- for checking the connection details on your VIP
- show sys connection | grep 134.175.22.206
Best Regards
Sachin Garg
- 1qaz
thanks,I noticed that only okhttp has no source address, but okhttp does not always appear
list ltm profile http http_yuanIP
ltm profile http http_yuanIP {
app-service none
defaults-from http
insert-xforwarded-for enabled
show sys connection | grep 134.175.22.206
106.19.5.121:50700 134.175.22.206:9091 106.19.5.121:50700 134.176.1.228:9091 tcp 63 (tmm: 3) none
106.16.132.94:41796 134.175.22.206:9091 106.16.132.94:41796 134.176.1.228:9091 tcp 38 (tmm: 3) none
106.18.147.4:12642 134.175.22.206:9080 134.176.1.196:16260 134.176.1.225:9090 tcp 58 (tmm: 2) none
106.17.200.187:30317 134.175.22.206:9080 134.176.1.196:49075 134.176.1.226:9090 tcp 64 (tmm: 1) none
223.150.23.248:15461 134.175.22.206:9080 134.176.1.196:58407 134.176.1.226:9090 tcp 92 (tmm: 1) none
106.19.3.31:15369 134.175.22.206:9080 134.176.1.196:35483 134.176.1.226:9090 tcp 137 (tmm: 1) none
220.202.118.3:21709 134.175.22.206:9080 134.176.1.196:60991 134.176.1.225:9090 tcp 250 (tmm: 1) none
106.16.162.55:51031 134.175.22.206:9091 106.16.162.55:51031 134.176.1.227:9091 tcp 31 (tmm: 0) none
106.16.156.197:62938 134.175.22.206:9080 134.176.1.196:54220 134.176.1.225:9090 tcp 35 (tmm: 2) none
58.45.29.238:26466 134.175.22.206:9080 134.176.1.196:24216 134.176.1.226:9090 tcp 284 (tmm: 2) none
106.16.150.173:43584 134.175.22.206:9091 106.16.150.173:43584 134.176.1.227:9091 tcp 11 (tmm: 3) none
106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none
223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none
118.251.19.94:49046 134.175.22.206:9091 118.251.19.94:49046 134.176.1.227:9091 tcp 55 (tmm: 1) none
- Sachin-Garg
As you can see the
1st Column = Real Source IP:port
2nd Column = VIP:port
3rd Column = SNAT Source IP:port using Self IP of Internal Interface
4th Column = Pool Member:port
Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member
1st column is same to 3rd column
106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none
But for the another VIP 134.175.22.206:9080 the 1st column IP is changing with your F5 Self IP of Internal Interface or SNAT IP 134.176.1.196 in the 3rd Column:
223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none
Can you please compare the 2 VIPs config and share:
VIP 134.175.22.206:9091 - Client IP address is visible to the pool member
VIP 134.175.22.206:9080 - Client IP address is NOT visible to the pool member
- Sachin-Garg
Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member
1st column is same to 3rd column
106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none
In that case your pool member 134.176.1.227:9091 will response directly to the Client IP 106.19.21.235:56092 bypassing F5 load balancer , are you seeing any asymmetric routing issue on this VIPs
- 1qaz
thanks,
VIP 134.175.22.206:9091 don't use SNAT,no automap
- Sachin-Garg
So do you feel your issue resolved/explained or would you like me to look into anything further. Kindly let me know.
- 1qaz
Thank you very much for your help, my colleague suggested that I cancel the snat on VS 134.175.22.206:9080 to solve this problem, and I am considering accepting his suggestion
- Sachin-Garg
Can you please mark it as resolved if no further assistance needed.
- 1qaz
thanks to Sachin-Garg,I decided to cancel SNAT to get the source address because SNAT is not necessary, thank you for your help, thanks again!