For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fluzocapacitor's avatar
fluzocapacitor
Icon for Cirrus rankCirrus
Jun 08, 2025

Delayed connection when traffic crosses router domains in F5 BIG-IP

Hi everyone, I'm experiencing an issue with F5 BIG-IP involving multiple router domains and would appreciate any insight. We’ve recently moved some VLANs into a separate router domain (RD2) on our ...
application delivery
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jun 08, 2025

Hello fluzocapacitor​ 

When you split your network into multiple route domains (RDs) on an F5 BIG-IP, each domain acts like its own separate “mini-router” with its own routing table. This means traffic doesn’t automatically move between them—even if they’re on the same device.

In your case, when a server in RD2 tries to reach a virtual server in RD0, the F5 doesn’t know how to send the traffic across unless you specifically tell it how. If this isn’t set up, the F5 keeps trying to figure out where to send the traffic, which causes the 10–15 second delay you’re seeing (or even timeouts).

Here are some recommendations:

  • Make sure you have explicit routes set up in both RD2 and RD0 that tell the F5 how to reach the other domain.
  • Consider creating a “forwarding” virtual server in each route domain. This acts like a bridge, letting traffic pass between domains.

K52482223 Route domain ID is limited to 65534

fluzocapacitor's avatar
fluzocapacitor
Icon for Cirrus rankCirrus
Jun 11, 2025

In our setup, RD2 is configured with RD0 as its parent (it's using the default route domain of the partition), but RD2 also has a default route pointing to an external gateway (outside the F5).

Now I’m wondering:

Could it be that, because of this default route, the F5 is sending traffic out toward the external gateway instead of handling it internally between RD2 and RD0?

Here’s the traffic flow we’re seeing:

Client (192.168.142.4) → F5 RD2 (192.168.142.9) → CORE → FW → F5 VIP RD0 (192.168.158.79) → Pool Member (RD2 - 192.168.152.15) → F5 RD2 → FW → CORE → Client

But ideally, since the F5 handles both RD2 and RD0 internally, and the pool member is also in RD2, I would expect the connection to be routed entirely inside the F5, without leaving to the external network.

So my question is:

How can I make sure that traffic from RD2 to RD0 (and back) stays entirely within the F5 and doesn’t try to exit via the default route?

Would disabling Strict Isolation and using forwarding virtual servers in both directions solve this, or should we instead remove the default route in RD2 and define explicit internal routes for RD0 destinations?

Appreciate any advice — we’re trying to avoid traffic unnecessarily leaving the box just to re-enter.

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Jun 11, 2025

    Are you doing SNAT on the Virtual Server?
    With child/parent relationship forwarded traffic should be already allowed.
    And this actually how your RD0 VS can send traffic to RD2 pool member

    • fluzocapacitor's avatar
      fluzocapacitor
      Icon for Cirrus rankCirrus
      Jun 11, 2025

      Yes. When the F5 receives a connection on the VS 192.168.158.79 from 192.168.142.4, it replaces the source IP before forwarding the request to the pool member 192.168.152.15. As a result, the pool member sees the connection as coming from the F5’s self IP (e.g., 192.168.152.7).