Forum Discussion
AD DC's behind F5 + SNAT
We have AD DC's behind F5 and we are using SNAT for this setup.
Issue: Domain controller always see SNAT IP as client IP address. DC team are unable to see actual client IP address, if they want to troubleshoot any issue.
Is there any way so that they can see actual client IP address hitting on F5 AD VIP.
- Josiah_39459Historic F5 Account
From the way you ask the question, it is not clear. Do you mean without disabling SNAT? Becuase it seems like disabling SNAT is the best way to see the users ip...
- Abhishek_MittalNimbostratus
If we will disable the SNAT, Will it not do Asymmetric routing. As far as I know, SNAT we use in F5 to prevent asymmetric routing. (if F5 and Servers are not in same subnet)
- Josiah_39459Historic F5 Account
Right, we don't know your network environment. There probably is a way around it. SNAT makes things easy, but quite likely you don't need it if you have control and can plan your environment carefully.
If you don't want to change all your routing tables to actually see the client's ip, then you probably should just use timestamps. Ensure your clock is the same and you can probably figure out the user from the logs. You could also try to embed something in the packets sent to the DC, but you'd also have to configure the DC to strip and log that information. You could do the F5 part easily with irules, but the rest would be up to your server configuration team.
I'm not sure of what kind of "troubleshooting" they "can't do", but it seems like you might have to work in concert with them to identify the clients as the ip alone is not enough.
- Abhishek_MittalNimbostratus
Issue is one of the account is getting locked out, but they are unable to find the source IP for that locked out. as on DC they see only SNAT IP each and every time.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com