Forum Discussion

ReWrite_132188's avatar
ReWrite_132188
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

F5 BIG-IP answers with a self-ip that is not associated with that VLAN

Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt.

In short:

Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and 2.2), the next hop for the traffic is a pool containing a proxy-solution(int 1.1). After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router.

But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. And for that reason the connection times out, and the users have no internet access.

A tracert from a klient looks like this:

  • 1 <1 ms 156 ms <1 ms 192.168.50.13 - Client
  • 2 1 ms 147 ms <1 ms 192.168.50.1 - Router on the way
  • 3 2 ms 1 ms 1 ms 192.168.1.12 - BIG-IP Local self-ip internal
  • 4 2 ms 2 ms 3 ms 192.168.1.114 - Proxy IP
  • 5 4 ms 211 ms 4 ms 192.168.1.12 - BIG-IP Local self-ip - Now on the vs_proxy_return VLAN (verifed with tcpdump)
  • 6 Host unreachable

  • Internal VLAN local Self-ip: 192.168.1.12
  • Internal VLAN floating Self-ip: 192.168.1.14
  • Proxy_return VLAN local Self-ip: 192.168.1.118
  • Proxy_return VLAN floating Self-ip: 192.168.1.119

The Proxy is connected directly to the F5, no switches involved. One TP into port 1 and out again of port 2. There is no NATing in the proxy, so the packet should be untouched.

Config:

ltm virtual /Common/vs_proxy {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_proxy
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/internal
    }
    vlans-enabled
}
}
ltm virtual /Common/vs_proxy_return {
    description ""
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_gateway
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/cp_proxy_return
    }
    vlans-enabled
}

Is this a bug, or am I doing something very very wrong here? This works on a customer I have, but on 1.4.1, this is done on 1.5.1 HF3.