Forum Discussion
Jeff_42220
Nimbostratus
NimbostratusGetting return traffic from a server to the LTM without using SNAT?
Hello,
I wanted to see if anybody has an idea on how I can get past the following problem.
In an environment where back end servers connect to both an LTM and a firewall on separate interfaces/VLANs, we have run into a problem where the application on the server is only seeing the BigIP as the source address. We do have automap SNAT enabled which is what is causing the address translation in the first place. This is needed because the routing on the servers would otherwise send return traffic to the firewall and not back through the LTM, and the firewall would drop this asymmetric connection.
We have tried inserting the X-Forwarded-For HTTP header, but the application being used on the back end server isn't able to pick that up.
So, is there anyway, if SNAT is disabled, that we could still get the server to return the traffic back through the LTM, although that would be against what the server's routing table says?
Thanks!!
Jeff
- The_BhattmanHi Jeff,
Since there is no exact detail of how the topology is setup I can only provide you avenues for you to investigate.
But I had a similar requirement from a customer and the way I made this work was
I created a VLAN on the switch where the nodes lived on. There default gateway was the switch. However, I placed Policy Based Routing where if anything on address on the backend servers needed to talk to clients through the fireway I would push it through LTM. Everthing else would go through the switch. This way any vlan to vlan traffic would use the power of the switch rather then go through the LTM. The LTM then had a route to the firewall with forwarding IP turned on.
Hope this helps
CB
