F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Visvesh_138292's avatar
Visvesh_138292
Icon for Nimbostratus rankNimbostratus
Oct 09, 2014

How to see the real IP in server- The traffic is from VIP:HTTPS and SNAT is enabled.

Hello,   Can anyone help me to get the real IP in server.The traffic passing is through VIP listening on https port and the SNAT is enabled to the HTTPS-VIP avoid the routing issue in my environme...
application delivery
devops
iRules
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

I'm assuming most of the requests are coming from real end-users, and not client-servers. Possibly you applied SNAT configuration to make it possible for a few client-servers to access the content.

If that's the case, you can create an iRule to apply SNAT automap only when needed, and not in all use-cases. Typically you only need to apply SNAT when source and destination are in the same network.

Solution with iRule:

when CLIENT_ACCEPTED {
if {[class match [IP::client_addr] equals "data_my_network"]}
  snat automap
  log local0. "Applied SNAT for IP: [IP::client_addr]"
} else {
  do not apply SNAT
  return
}

"data_my_network" = address type LTM data-group which contains the network segment where end-servers are located (e.g 192.168.1.0/24). You then need to remove SNAT automap configuration from the virtual server (this has a possible impact and should be done during a scheduled maintenance window).

Other than that, I don't have any solutions for you. If the above is not applicable, you should either create a new network segment to solve the asymetric routing issue, or ask to migrate the SSL termination to F5.