Forum Discussion
AltostratusF5 not routiing traffic through floating IP
CirrostratusHi,
I am not sure if I understand your traffic flow:
When user is accessing the server directly , requests comes into firewall and firewall passing it to the server , when server responding back the traffic is going through F5.
Do you mean that SYN packet from the user is going directly to the server and then SYN, ACK from the server is going not directly to user but via F5?
So it would be a bit different that flow you provided, from description it looks for me like that:
ACK packet: (192.168.x.x) user -> FW -> Server
SYN, ACK packet: Server -> F5(VIP) -> FW -> (192.168.x.x) user
What is the reason for asymmetric routing here? Why not send all traffic via F5?
If this is the case, then tcpdump on F5 is showing correct results.
For such flow SNAT would not change client IP because F5 is processing only traffic returning from server not traffic coming from client to server.
If you say followed by a RST from src to the server what do you mean by src - IP of the client that originally send ACK packet?
If so then for some reason client is not accepting SYN, ACK from server - best way is to capture traffic on the client to see why. That will as well prove who is sending RST - client or F5 or maybe FW? For flow like that there is change in MAC address that could cause FW to drop packet:
ACK packet will have src MAC: FW NIC, dst MAC server NIC
SYN, ACK packet (when received by FW) will have: src MAC F5 interface (instead of server NIC), dst MAC FW NIC
Could be that your VS config is wrong, as already mentioned could you post VS config:
tmsh list ltm virtual Could you post your fastL4 profile listing
tmsh list ltm profile fastl4 Piotr
