Client IP visibility in one arm mode

Question

Hi All,&nbsp;&nbsp;I have a pair of LTMs in the DMZ in one arm configuration. The frontend (virtual server) and the backend (servers) are on the same subnet. It acts as a reverse proxy for a lot of internal hosts but it also acts as a load balancer to servers in the DMZ. SNAT automap is configured and so all the client IPs look like it is coming from the BigIP. Now, I have a requirement where apps running on the DMZ servers require the client IP visibility.&nbsp;&nbsp;&nbsp;What are the options available?&nbsp;&nbsp;&nbsp;Meena&nbsp;

nitass · Answer

is it http/s? 
&nbsp;if so, have u seen x-forwarded-for solution in askf5? &nbsp;
&nbsp;sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT 
&nbsp;http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

meena_60183 · Answer

I should have mentioned this. The traffic that is being load balanced in not http(s) but SSH and TCP port 9033. it is application specific.

nathe · Answer

Meena 
&nbsp; "The traffic that is being load balanced in not http(s) but SSH and TCP port 9033. it is application specific" - I think this rules out x-forward-for I'm afraid. In a one-arm config you could choose to NOT use SNAT Automap on this VIP, however, you will then need to route the traffic back to the src client ip back through the LTM, rather than the def gateway (which I presume isn't the LTM). 
&nbsp;  
&nbsp; Rgds 
&nbsp; N

meena_60183 · Answer

The current default gateway for the servers is the firewall. The default gateway for the LTM is also the firewall. I tried changing the server's default gateway to be the LTM but traffic stops working. I enabled all services using 0 for port number but still it seems like the LTM is not responding for arp requests from the firewall. I even deleted the arp entry for the servers in question but that did not help either.

nitass · Answer

client isn't in same subnet as vip, is it? 
&nbsp;  
&nbsp; for arp, could u confirm if arp is checked under virtual address list? 
&nbsp; if yes, bigip should response arp request for that virtual address.

Forum Discussion

Client IP visibility in one arm mode

6 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

iRules

Is there a way to export BigIP Analytics http captured transactions?

F5 is not providing any console/Web Access.Software is corrupted. How to clean install its firmware?

About perpetual license expiry In WAF

How to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value

Related Content

Visibility and Orchestration

Implementing BIG-IP WAF logging and visibility with ELK

Shift-left Security Visibility

Post-Breach Analysis: Sophistication and Visibility

Explanation of F5 DDoS threshold modes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS