Forum Discussion
Coso_17543
Nimbostratus
Mar 14, 2011BigIp source addresses
hi all,
I don't know if this is an easy question but it's a bit urgent for me.
We need to balance 2 servers under a VIP for some services, telnet and FTP included.
The pool was correctly created as standard (we manage a lot of pools) but the users have a problem. After that just only one user tried too many times to login with a wrong user/pass, the nodes block the access from him. After that, nobody can't login because the source address for those 2 servers are not the real of users but the BIGIP..
I remeber something that this issue doesn't happen on some pool because being http users ip address is incapsulated in the packet and checking it, servers can know who is the real source. But how can avoid this in a normal telnet or FTP session?
There is a setting or an iRule to make a transparent balacing in BigIp so that servers can receive users as sources and not BigIP nat?
Thanks you
- Chris_Miller
Altostratus
Is there a reason you're using SNAT? Does your design require all users be SNATed? - Coso_17543
Nimbostratus
Well if I correctly understood SNAT should be used for security and for routing issues. - Chris_Miller
Altostratus
Address translation enables LTM to translate the destination address of the packet. So, if you're using a normal VIP, you need address translation so LTM can translate the destination address to the pool member's IP. - Coso_17543
Nimbostratus
So I should disable SNAT to let the real nodes to see the real source addresses of the users instead of BIgIP? - Chris_Miller
Altostratus
You can do it per VIP - if you're using the config utility, you'll find a "SNAT Pool" option set to either AutoMap or a SNAT Pool. You want to set that to none. - Coso_17543
Nimbostratus
mmm - Chris_Miller
Altostratus
If it's at none, the original source address should be getting to the client - it's the destination address that's getting translated. - hoolio
Cirrostratus
There could also be a default SNAT defined which dictates LTM should translate the serverside source address. - Michael_Yates
Nimbostratus
Depending on the destination application, you may also be able to use the X-Forward option in the HTTP Profile. If you are using basic Telnet and FTP, then you might not be able to use this option, but it is worth knowing about. - Coso_17543
Nimbostratus
Ok, so please confirm me if I understood.
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects