F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Wasim_Hassan_13's avatar
Wasim_Hassan_13
Icon for Nimbostratus rankNimbostratus
Oct 07, 2013

F5 LTM One Arm and SNAT

F5------------------>|Core SW|<---------------------users VLAN (192.168.51.0) | | | | |

 

Server VLAN 205, 200, VLAN 210

 

Hi I have F5 LTM connected in single arm mode.

 

Users are connected to the Core Switch in different VLAN (VLAN51) and Gateway is core SW. F5 is connected to the core through the trunk port allowed VLAN 205. Servers are also connected on CORE in VLAN 205.

 

I have given one Self IP to F 192.168.205.5 I have created the VIP 192.168.205.151 TWO POOL members 192.168.205.201,202 SNAT----- I put

 

  1. origin as all IP address
  2. translation IP I put F5 selfIP address (bcz i want to use F5 IP as NAT).
  3. VLAN/TUnnel traffic I put VLAN 205

I can ping the F5 self IP and VIP from the users VLAN but unable to open the web page.

 

Though direct server web page is opening from the user VLAn only through the VIP i am not able to see the page.

 

Please help me out. VIP, POOL, NODE are showing UP.

 

2 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oct 07, 2013

    tcpdump is your friend. Verify that your VS is set to perform SNAT and that the pool is set to ALLOW SNAT.

     

    Then setup a tcpdump to look at the traffic both between the client & VS, and between the SNAT address and the poolmembers. If you do that to a file (-w & -s options) you can then have a look at the tcp level information, AND the contents of the traffic (Assuming it's either HTTP or you have access to the keys to decrypt).

     

    Verify that when you make a connection from the client to the VS you get clean tcp connection. And see the request come in. And for the snat to poolmember connection you see the connection opened and the request go out. Then verify the respinses that come back as well).

     

    Also verify any errors in /var/log/ltm if you have iRules configured for example.

     

    H

     

  • Wasim_Hassan_13's avatar
    Wasim_Hassan_13
    Icon for Nimbostratus rankNimbostratus
    Oct 07, 2013

    Thanks for the reply, i will do it but my concern is about the configuration is it right what I am doing. I am self IP(192.168.205.5) in the SNAT configuration. When I am hitting on the VIP i can see the counter for SNAT increasing. But Webpage is not coming up. IN virtual server setup, I have enabled the SNAT pool to automap and tunnel/VLAN traffic I have selected the VLAN 205 where the physcial servers are located. Loggs

     

    15:04:33.914271 IP 192.168.51.37.49633 > 192.168.205.151.http: S 677188679:677188679(0) win 8192 15:04:33.914337 IP 192.168.205.151.http > 192.168.51.37.49633: S 3675946119:3675946119(0) ack 677188680 win 3780 15:04:33.915404 IP 192.168.51.37.49633 > 192.168.205.151.http: . ack 1 win 68 15:04:33.915438 IP 192.168.205.151.http > 192.168.51.37.49633: R 1:1(0) ack 1 win 3780 15:04:34.424765 00:22:64:0f:70:0a (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 1514:

     

    Waiting for the assistance.