Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt. In short: Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and 2.2), the next hop for the traffic is a pool containing a proxy-solution(int 1.1). After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router. But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. And for that reason the connection times out, and the users have no internet access. A tracert from a klient looks like this: 1 <1 ms 156 ms <1 ms 192.168.50.13 - Client2 1 ms 147 ms <1 ms 192.168.50.1 - Router on the way3 2 ms 1 ms 1 ms 192.168.1.12 - BIG-IP Local self-ip internal4 2 ms 2 ms 3 ms 192.168.1.114 - Proxy IP5 4 ms 211 ms 4 ms 192.168.1.12 - BIG-IP Local self-ip - Now on the vs_proxy_return VLAN (verifed with tcpdump)6 Host unreachable Internal VLAN local Self-ip: 192.168.1.12Internal VLAN floating Self-ip: 192.168.1.14Proxy_return VLAN local Self-ip: 192.168.1.118Proxy_return VLAN floating Self-ip: 192.168.1.119 The Proxy is connected directly to the F5, no switches involved. One TP into port 1 and out again of port 2. There is no NATing in the proxy, so the packet should be untouched. Config: ltm virtual /Common/vs_proxy { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_proxy profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/internal } vlans-enabled } } ltm virtual /Common/vs_proxy_return { description "" destination /Common/0.0.0.0:0 mask any pool /Common/pool_gateway profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/cp_proxy_return } vlans-enabled } Is this a bug, or am I doing something very very wrong here? This works on a customer I have, but on 1.4.1, this is done on 1.5.1 HF3.

YOur problem description is a bit unclear, but I'd like to point out a few things. The BIGIP is unlikely to be responding to Requests from your proxies. Your Proxies should be sending Connections to a specific IP address on the BigIP (a Virtual Address most likely), and so the response to the proxy will be the IP of the virtual. If you see some traffic from the Bigip to the Proxy and it is using a floating IP address, then it is likely to be traffic originating from a client, and also handled by a Virtual server. If you see traffic with a self-IP, then it is most likely to be monitor traffic (and you should probably ignore it). You will need to describe better what objects are involved, and how the traffic flows. Example: Ingres ->vlan internal -> Virtual vsinbound ->Egres: vlan proxy; -> Pool: proxy-pool Then paste the config of the virtual. Do this for all the relevant flows, and it should present a better picture what's going on...

After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router. i do not see snat automap (source-address-translation { type automap }) in vs_proxy_return virtual server. are you using snat list for traffic from proxy? can you post the configuration? tmsh list snat (snat list name) But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. is the response of the request from proxy indeed? is tcp sequence and acknowledgment number correct?

Thanks for the answers. I know the explanation is kinda hard to understand.. Second try: Ingres- vlan Internal -> Virtual vs_proxy -> Egres Vlan cp_proxy - > Pool: pool_proxy - > Proxy - > Ingres -> vlan cp_proxy_return -> Virtual vs_proxy_return - > Pool: pool_gateway -> Internet. The traffic stops on Virtual vs_proxy_return. I can ping the F5 from the proxy, and the F5 can ping the proxy on the corrects IPs. But doing a packet dump I can only see the IP from the Internal vlan responding to packets from the Proxy.. Config ltm snat-translation /Common/182.xx.xx.149 { address 182.xx.xx.149 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snat-translation /Common/182.xx.xx.150 { address 182.xx.xx.150 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snat-translation /Common/185.xx.xx.146 { address 185.xx.xx.146 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snatpool /Common/sNAT-pool-outbound-inet { members { /Common/182.xx.xx.149 /Common/182.xx.xx.150 } } ltm virtual /Common/vs_ext_all { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_proxy_ext profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/external } vlans-enabled } ltm virtual /Common/vs_ext_ret_all { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_gateway_int profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/cp_proxy } vlans-enabled } ltm virtual /Common/vs_proxy { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_proxy profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/internal } vlans-enabled } ltm virtual /Common/vs_proxy_https { description destination /Common/0.0.0.0:443 ip-protocol tcp mask any pool /Common/pool_proxy profiles { /Common/clientssl { context clientside } /Common/http { } /Common/serverssl { context serverside } /Common/tcp { } } rules { /Common/pre_proxy } source 0.0.0.0/0 translate-address disabled translate-port enabled vlans { /Common/internal } vlans-enabled } ltm virtual /Common/vs_proxy_return { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_gateway profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/cp_proxy_return } vlans-enabled } ltm virtual /Common/vs_proxy_return_http { description destination /Common/0.0.0.0:80 ip-protocol tcp mask any pool /Common/pool_gateway profiles { /Common/http { } /Common/serverssl-insecure-compatible { context serverside } /Common/tcp { } } rules { /Common/post_proxy } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vlans { /Common/external } vlans-enabled } ltm virtual-address /Common/0.0.0.0 { address any arp disabled icmp-echo disabled mask any traffic-group /Common/traffic-group-1 } ltm data-group internal /Common/bypass_nett { type ip } ltm data-group internal /Common/host_bypass { type string } ltm data-group internal /Common/hostname_bypass { type ip } ltm profile web-acceleration /Common/optimized-caching { app-service none cache-max-age 86400 cache-object-max-size 2000000 cache-object-min-size 0 cache-size 7mb defaults-from /Common/webacceleration } ltm profile web-acceleration /Common/webacceleration { app-service none cache-aging-rate 9 cache-client-cache-control-mode all cache-insert-age-header enabled cache-max-age 3600 cache-max-entries 10000 cache-object-max-size 50000 cache-object-min-size 500 cache-size 75mb cache-uri-exclude none cache-uri-include { .* } cache-uri-include-override none cache-uri-pinned none metadata-cache-max-size 25mb } net route /Common/DMZ-nett { gw 192.168.xx.1 network 185.xx.xx.128/26 } net route /Common/external_default_gateway { interface /Common/external network default } net route /Common/net-172.16.0.0-mask12 { gw 192.168.xx.1 network 172.16.0.0/12 } net route /Common/net-192.168.0.0-mask16 { gw 192.168.xx.1 network 192.168.0.0/16

The traffic stops on Virtual vs_proxy_return. I can ping the F5 from the proxy, and the F5 can ping the proxy on the corrects IPs. But doing a packet dump I can only see the IP from the Internal vlan responding to packets from the Proxy. have you configured floating self ip on every vlan? sol7336: The SNAT Automap and self IP address selection http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7336.html

There is a floating IP for every vlan, to ensure proper HA.

ReWrite_132188

Nimbostratus

Jul 02, 2014

F5 BIG-IP answers with a self-ip that is not associated with that VLAN

Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt.

In short:

Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and 2.2), the next hop for the traffic is a pool containing a proxy-solution(int 1.1). After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router.

But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. And for that reason the connection times out, and the users have no internet access.

A tracert from a klient looks like this:

1 <1 ms 156 ms <1 ms 192.168.50.13 - Client
2 1 ms 147 ms <1 ms 192.168.50.1 - Router on the way
3 2 ms 1 ms 1 ms 192.168.1.12 - BIG-IP Local self-ip internal
4 2 ms 2 ms 3 ms 192.168.1.114 - Proxy IP
5 4 ms 211 ms 4 ms 192.168.1.12 - BIG-IP Local self-ip - Now on the vs_proxy_return VLAN (verifed with tcpdump)
6 Host unreachable

Internal VLAN local Self-ip: 192.168.1.12
Internal VLAN floating Self-ip: 192.168.1.14
Proxy_return VLAN local Self-ip: 192.168.1.118
Proxy_return VLAN floating Self-ip: 192.168.1.119

The Proxy is connected directly to the F5, no switches involved. One TP into port 1 and out again of port 2. There is no NATing in the proxy, so the packet should be untouched.

Config:

ltm virtual /Common/vs_proxy {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_proxy
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/internal
    }
    vlans-enabled
}
}
ltm virtual /Common/vs_proxy_return {
    description ""
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_gateway
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/cp_proxy_return
    }
    vlans-enabled
}

Is this a bug, or am I doing something very very wrong here? This works on a customer I have, but on 1.4.1, this is done on 1.5.1 HF3.