Forum Discussion
wtwagon_99154
Nimbostratus
NimbostratusGeolocation / SNAT problems
Recently, my company has implemented a SiteSpect device, which is used for Multivariate Testing. Everything has been running fine until we implemented a geo-locating (display a specific page depending on IP address) application.
With that being said, I tracked the problem down to our SNAT configuration. Here's how everything is set up:
1) Web request comes in to external, internet facing VIP (external VIP contains SiteSpect device in a pool and there is no SNAT AutoMap turned on)
2) SiteSpect Device does a reverse proxy to an internal VIP (172.16.1.217/21) keeping all IP address information in tact.
3) Internal VIP has 4 web servers in the pool and SNAT AutoMap is not turned on. The web servers are also on the same network as the 172.16.1.217/21 (172.16.2.48-172.16.2.51)
So, what I see is a web request come in to the SiteSpect device from an IP address of 24.0.34.205 (external Comcast Address). The reverse-proxy then goes to the internal VIP, which lands it on one of the 4 web servers. On the web servers, I see a request coming from the SNAT address of the F5.
I have the entire 172.16.0.0/21 network SNAT to one IP address, so this is of course the IP address that I see on the SiteSpect device. All servers have a default gateway of the F5 internal floating IP address (172.16.1.240).
To try to remediate this SNAT, i put a simple iRule on the internal VIP that removes the SNAT.
when CLIENT_ACCEPTED {
log "Removing SNAT"
snat none
}
However, once I remove the SNAT, the traffic never appears to get to the web servers. Unfortunately, I am also not able to use the "Insert XForwarded For" either, because of the changes necessary to our code and to our apache servers.
I did some searching through the Forums to look for any other iRules that may assist myself in this issue, but I have not found anything yet that would help tackle this problem. Has anyone else experienced this problem?
Juerg_WiesmannHi
I think your iRule will remove SNAT for all traffic, It is like not enabling it on the VS.
Are there Firewalls behind not allowing to come with the original IP ?
Otherwise do a TCP Dump to see the request leaving the internal VLAN and check for any responses.
Jürg Wiesmann
wtwagon_99154The iRule was actually applied to a specific VIP, not for the entirety.
However, I think I've resolved the issue:
when CLIENT_ACCEPTED {
log "Removing SNAT"
snat none
forward
}
I added a forward in, and that appeared to take care of the problem.- wtwagon_99154well, I believe I spoke too soon.
As soon as I put the forward option in, it appeared to send the traffic correctly.
However, as soon as we put the no-snat on, our reverse proxy health check in the F5 starts alarming with 503 error, and ultimately rips the reverse proxy out of the rotation.
I'm going to run some TCP dumps to take a look at the issue further. The problem seems to exist when the reverse proxy connects to the internal VIP, as it SNATS by default to a specific IP address. When we remove the SNAT, it seems to not be able to get there. Anyone have some thoughts? 
josecmp_106515Hi, were you able to fix this issue?- wtwagon_99154The issue was that we hosted an outbound SNAT on the F5, and did not have IP forwarding turned on.
Since we have the firewall on the edge of our architecture and the F5 inside, I moved the SNAT outbound to the firewall and turned IP forwarding on the F5. After that, traffic seemed to flow properly.
However, I can't really assist much further with the configuration since we have re-architected everything. Thanks