Forum Discussion

Abhishek_Mittal's avatar
Abhishek_Mittal
Icon for Nimbostratus rankNimbostratus
Sep 13, 2016

AD DC's behind F5 + SNAT

We have AD DC's behind F5 and we are using SNAT for this setup.

 

Issue: Domain controller always see SNAT IP as client IP address. DC team are unable to see actual client IP address, if they want to troubleshoot any issue.

 

Is there any way so that they can see actual client IP address hitting on F5 AD VIP.

 

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account

    From the way you ask the question, it is not clear. Do you mean without disabling SNAT? Becuase it seems like disabling SNAT is the best way to see the users ip...

     

    • Abhishek_Mittal's avatar
      Abhishek_Mittal
      Icon for Nimbostratus rankNimbostratus

      If we will disable the SNAT, Will it not do Asymmetric routing. As far as I know, SNAT we use in F5 to prevent asymmetric routing. (if F5 and Servers are not in same subnet)

       

    • Josiah_39459's avatar
      Josiah_39459
      Historic F5 Account

      Right, we don't know your network environment. There probably is a way around it. SNAT makes things easy, but quite likely you don't need it if you have control and can plan your environment carefully.

       

      If you don't want to change all your routing tables to actually see the client's ip, then you probably should just use timestamps. Ensure your clock is the same and you can probably figure out the user from the logs. You could also try to embed something in the packets sent to the DC, but you'd also have to configure the DC to strip and log that information. You could do the F5 part easily with irules, but the rest would be up to your server configuration team.

       

      I'm not sure of what kind of "troubleshooting" they "can't do", but it seems like you might have to work in concert with them to identify the clients as the ip alone is not enough.

       

    • Abhishek_Mittal's avatar
      Abhishek_Mittal
      Icon for Nimbostratus rankNimbostratus

      Issue is one of the account is getting locked out, but they are unable to find the source IP for that locked out. as on DC they see only SNAT IP each and every time.