For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fluzocapacitor's avatar
fluzocapacitor
Icon for Cirrus rankCirrus
Jun 08, 2025

Delayed connection when traffic crosses router domains in F5 BIG-IP

Hi everyone, I'm experiencing an issue with F5 BIG-IP involving multiple router domains and would appreciate any insight. We’ve recently moved some VLANs into a separate router domain (RD2) on our ...
application delivery
fluzocapacitor's avatar
fluzocapacitor
Icon for Cirrus rankCirrus
Jun 08, 2025

Thanks for the detailed explanation — we’ll test your suggestions with explicit routes and forwarding virtual servers between route domains.

That said, I’m still puzzled by one thing:
If the F5 doesn’t have a valid route between RD2 and RD0, how is it even able to eventually send the response back at all? I would expect the traffic to consistently fail or time out immediately, since the device shouldn’t know how to reach the destination in another route domain.

Yet, in our case, it delays for 10–15 seconds and then succeeds. Could the F5 be falling back to some kind of indirect routing or trying multiple options before failing over to a default behavior?

Also, just to give more context — we introduced multiple route domains on the F5 because previously all servers were in a single VRF on the upstream router. We’ve now segmented them into multiple VRFs, and within these new VRFs, some servers use the F5 as their default gateway, while others route through the firewall.

Thanks again for your help — any insight into how the F5 is even partially succeeding without explicit inter-RD routing would be great to understand.

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Jun 08, 2025

How do you use F5 as gateway if it doesn't have Routes?

You may don't have a specific route between RD2 and RD0 but RD2 should have a default route and next hop should have a route to RD0.

That said I suspect your delay is because of asymetric routing.

Have you tried a packet capture both to F5 and server?

  • fluzocapacitor's avatar
    fluzocapacitor
    Icon for Cirrus rankCirrus
    Jun 08, 2025

    Thanks for your reply!


    Just to clarify — I didn’t mean to say there are no routes in the F5. There is a default route configured, and the traffic does reach the destination eventually.

    show net route
-------------------------------------------------------------------------------------------------------
Net::Routes
Name                Destination             Type       NextHop                        Origin
-------------------------------------------------------------------------------------------------------
Default-VLXX        default%2               gw         upstream_router_ip%2           static
Default             default                 gw         f5_self_ip_for_router          static


    Asymmetric routing is definitely something we’ve had to deal with. When we first separated the VRFs, we ran into issues with the firewall dropping connections due to unknown state. That’s actually one of the reasons we introduced route domains in the F5 — to better isolate traffic paths and avoid that kind of asymmetry.

    We’ve done captures both on the F5 and on the server side, but so far we haven’t found a clear explanation for the delay when the F5 acts as the gateway and the Virtual Server is in another route domain.

    Thanks again!

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Jun 08, 2025

      You might include fw also in your captures 

      Is there a chance firewall has an interface and ip in the server vlan?