For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Mar 13, 2015

Flow, is this correct description

Hi,

Trying to understand flows in LTM. In SOL13637: Capturing internal TMM information with tcpdump there is example of flows like that:

Packet from client to BIG-IP 10.1.1.1:1234 -> 10.1.1.3:80
flow id:  5678
peer id:  4356
Peer remote address: 10.2.1.5
Peer remote port: 80
Peer local address: 10.2.1.3
Peer local port: 1234

Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80
Flow id: 4356
Peer id: 5678
Peer remote address: 10.1.1.1
Peer remote port: 1234
Peer local address: 10.1.1.3
Peer local port: 80

My understanding is that first flow (flow id: 5678) is for packet traveling from client to pool member:

  1. Client to BIG-IP 10.1.1.1:1234 -> 10.1.1.3:80
  2. BIG-IP to member 10.2.1.3:1234 -> 10.2.1.5:80 (SNAT used, port preserved)

Second flow is from member to client (flow ID: 4356) referenced as peer id in first flow:

  1. member to BIG-IP 10.2.1.5:80 -> 10.2.1.3:1234
  2. BIG-IP to client 10.1.1.3:80 -> 10.1.1.1:1234

But description of second flow states "Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80", shouldn't it state "Packet from server to BIG-IP 10.2.1.5:80 -> 10.2.1.3:1234"?

Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80 looks for me as BIG-IP speaking with member - and this is part of first flow.

So Am I right or wrong?

Piotr

application delivery
LTM
management
TMOS
TMSH

5 Replies

  • Pedro_Haoa's avatar
    Pedro_Haoa
    Ret. Employee
    Mar 13, 2015

    Hi,

     

    Please check this, The term peer is used to describe and identify a connection. A connection is two flows. Each flow is a peer of the other.

     

    And with a little bit of Internet surfing you can find that a flow is a sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. RFC 2722 defines traffic flow as "an artificial logical equivalent to a call or connection."

     

    Remember that a flow itself it's different of the Flow ID: A number identifying a flow within TMM. The same flow ID can be used for different flows in different TMMs. Also, the same flow ID can be re-used for a different flow within the same TMM at a different time.

     

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Mar 13, 2015

    Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80

     

    i think this one should be packet from bigip to server (rather than packet from server to bigip). it is serverside connection.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Mar 13, 2015
      Sure, this is another option :-), so still what is in SOL is mistake that a bit confused me. Thanks a lot for explanation, it helped me a lot Piotr
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 13, 2015

    Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80

     

    i think this one should be packet from bigip to server (rather than packet from server to bigip). it is serverside connection.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Mar 13, 2015
      Sure, this is another option :-), so still what is in SOL is mistake that a bit confused me. Thanks a lot for explanation, it helped me a lot Piotr
Related Content