Hi, Below is the config of virtual, pool and snatpool on F5 that is in production. need assitance. snatpool vlan12_sp { member 63.25.36.7 } pool reversenpath_vlan12_pl { member 63.25.36.1:any } virtual reversenpath_vlan20_vs { snatpool vlan12_sp pool reversenpath_vlan25_pl destination any:any mask 0.0.0.0 profiles fastl4_reversenpath_default {} vlans 20 enable Internet is not working on the servers connected to vlan 20. Thanks - genseek

is snatpool and pool really correct? one is vlan12 but the other one is vlan25. virtual reversenpath_vlan20_vs { snatpool vlan12_sp <<<<< pool reversenpath_vlan25_pl <<<<< destination any:any mask 0.0.0.0 profiles fastl4_reversenpath_default {} vlans 20 enable

Sorry about that...a typo..correct config is as below virtual reversenpath_vlan20_vs { snatpool vlan12_sp pool reversenpath_vlan12_pl destination any:any mask 0.0.0.0 profiles fastl4_reversenpath_default {} vlans 20 enable

configuration looks ok to me except vlan name. anyway, i think it might be a typo. have you tried to capture packet? tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host 63.25.36.7 x.x.x.x is client ip

Will generate the dump and let you know. meanwhile, want some clarifications, A) This virtual has no VIP, how will then the client access this virtual ? B) Assuming, a client is sending a request to this virtual,what will the commd, do to the client request.? genseek

A) This virtual has no VIP, how will then the client access this virtual ? i understand you are asking about wildcard virtual server e.g. any:any. the wildcard virtual server accepts traffic destined to any ip address. anyway, you know we have to make sure client traffic passes through bigip e.g. routing. B) Assuming, a client is sending a request to this virtual,what will the commd, do to the client request.? you may use "b conn" command to display active entry in connection table.

F5 Issue | DevCentral

39 Replies

nitass
Employee
Feb 14, 2012
Trace from the server to internet is getting dropped at upstream router.can you run tcpdump on bigip to see whether bigip sends traffic to pool with correct snat address? if you are able to see bigip sending packet but no reply, next step might have to check at upstream router.
genseek_32178
Nimbostratus
Feb 14, 2012
nitass..

can you plz send me the exact tcpdump command to be run on bigip in this context, with all IPs?

where will the output get stored? in the bigip? or the server from where we r accessing the bigip?

How can i access the output.?
nitass
Employee
Feb 14, 2012
can you plz send me the exact tcpdump command to be run on bigip in this context, with all IPs? tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host destination-ip-address

where will the output get stored? in the bigip? or the server from where we r accessing the bigip? it will be saved in /var/tmp directory of bigip.

How can i access the output.?you can download output.pcap to your desktop using tool such as winscp and then open the file using wireshark.
genseek_32178
Nimbostratus
Feb 14, 2012

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host destination-ip-address

what is the host and destination IP address here? is it any internet based URL/IP?
genseek_32178
Nimbostratus
Feb 14, 2012
Also, another question....

the i rule associated here with the virtual server is for incoming traffic from the client,...right? .......Not for the outbound traffic for Inet..initiated from the server..right?

The server has upstream router as its default GWY.. this being the case ...please clarify....

if the server were to initiate traffic for say, www.yahoo.com, its source address would be NATd/changed by bigip, as per the iRule..and then the packet would travel to outbound with a public src-ip from the snatpool smtpsnat...?

Is this correct?

But in the below config

pool reversenpath_20 ---> has member as upstream router IP. Which means, if bigip is seeing incoming traffic, is it load balancing to upstream router? if so, why would it do so?

snatpool smtpsnat --> snat is used only to change the src-ip of inbound client traffic. Here, is the snat is being used to change the src-ip of traffic initiated from the server that is internet bound?
genseek_32178
Nimbostratus
Feb 14, 2012

nitass,

anu updates..please?

genseek
nitass
Employee
Feb 15, 2012
what is the host and destination IP address here? is it any internet based URL/IP?only destination-ip-address has to be replaced with internet address.

e.g.

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 1.1.1.1

the i rule associated here with the virtual server is for incoming traffic from the client,...right? .......Not for the outbound traffic for Inet..initiated from the server..right?not really. virtual server can use for either incoming traffic from client or outbound traffic from server.

The server has upstream router as its default GWY.. this being the case ...please clarify....so, doesn't outbound traffic which is initiated from serevr pass through bigip?

if the server were to initiate traffic for say, www.yahoo.com, its source address would be NATd/changed by bigip, as per the iRule..and then the packet would travel to outbound with a public src-ip from the snatpool smtpsnat...?yes if that traffic passes through bigip.

pool reversenpath_20 ---> has member as upstream router IP. Which means, if bigip is seeing incoming traffic, is it load balancing to upstream router? if so, why would it do so?isn't the virtual server for outbound traffic from server?

snatpool smtpsnat --> snat is used only to change the src-ip of inbound client traffic.not really. snat is able to translate source address for outbound traffic too.
genseek_32178
Nimbostratus
Feb 15, 2012
server has its gwy as bigip floating ip. Hence, the outbound traffic for internet passes through bigip.

but the following command is disturbing me,

pool reversenpath_vlan12_pl { member 63.25.36.1:any }

I understand that a pool basically comprises of servers to which incoming traffic from the client is load balanced.

but here the pool comprises of upstream router IP. and i'm not able to understand, if this pool is for inbound traffic or outbound traffic?

If it is for inbound traffic --->which means, traffic coming from the client to a server in the pool. But the pool here has no server but router IP.

If it is for outbound traffic ---> say, if a server with bigip as its gwy initiates traffic for yahoo.com, how is this pool used?
genseek_32178
Nimbostratus
Feb 16, 2012
Anu update nitass?
nitass
Employee
Feb 16, 2012
If it is for outbound traffic ---> say, if a server with bigip as its gwy initiates traffic for yahoo.com, how is this pool used? under virtual server configuration, there are address translation and port translation setting. when they are turned off (uncheck), bigip won't translate destination address and port (virtual server address and port) when sending traffic to pool. so, pool will route traffic then.

by default, they are turned off when creating wildcard virtual server.

Forum Discussion

F5 Issue

39 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 XC 503 upstream_reset_before_response_started{protocol_error}

CVE mitigation on F5 XC vs classic F5 WAF

F5 mssql health monitor failing

Could not communicate with the system. Try to reload page.

UCS Encryption Question

Related Content

F5 HTTPS Redirect 2025

New iOS F5 Access version (3.1.0) issues

F5 GTM resolution issue

F5 Threat Report - November 19th, 2025

F5 Threat Report - November 26th, 2025

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS