Forum Discussion
NimbostratusI want to get the source port but it was changed by F5?
Hi,I have a question for help:
I have a VS1 on BIGIP 3900, I want the source port of the client to be kept, but I observed that the client'port all be changed by F5:
(tmos)# show sys connection cs-server-addr 172.168.10.111 cs-server-port 443
Sys::Connections
183.19.253.127:20071 172.168.10.111:443 183.19.253.127:9114 134.176.1.157:8002 tcp 187 (tmm: 0) none
36.157.120.74:16639 172.168.10.111:443 36.157.120.74:5738 134.176.1.157:8002 tcp 139 (tmm: 0) none
183.39.54.17:46183 172.168.10.111:443 183.39.54.17:13066 134.176.1.157:8002 tcp 166 (tmm: 0) none
I have another VS2 on the same F5,The configuration is the same as VS1, but the client source port of VS2 be kept.
(tmos)# show sys connection cs-server-addr 172.168.10.222 cs-server-port 443
Sys::Connections
106.18.118.70:20673 172.168.10.222:443 106.18.118.70:20673 134.176.1.111:8443 tcp 282 (tmm: 2) none
113.247.119.213:15982 172.168.10.222:443 113.247.119.213:15982 134.176.1.111:8443 tcp 119 (tmm: 1) none
106.18.118.70:20508 172.168.10.222:443 106.18.118.70:20508 134.176.1.111:8443 tcp 96 (tmm: 3) none
The difference between VS1 and VS2 is that VS1 has more traffic than VS2. Does the client's source port change depend on VS traffic? If I want to get the source port on VS1, what should I do?
The VS configuration is below:
ltm virtual /Common/VS1_443 {
destination /Common/172.168.10.111:443
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr_600 {
default yes
}
}
pool /Common/Pool_VS1_443
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
ltm virtual /Common/VS2_443 {
destination /Common/172.168.10.222:443
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr_1800 {
default yes
}
}
pool /Common/Pool_VS2_443
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
1qazfor some reason,I modified the VS address
- Mayur_Sutare
MVP
,
i think, for VS1 source port settings is set to change.
You can verify it under,
Virtual Server --> Configuration --> Advanced --> Source Port.
If setting is set to Preserve, source port will not change. You verify this setting under VS.
Hope it helps!
Mayur
- 1qaz
thanks to Mayur Sutare,I logged in to F5 and checked, the source port of VS1 was set to Preserve, and the same setting for VS2
- Mayur_Sutare
Then it may be the case source port coming is already used for SNAT, in this case system uses a different port and this is default behavior.
Mayur
- 1qaz
thanks for reply,Do you mean that the client's port has been changed by SNAT before it reached F5, or does it mean the SNAT of F5 itself? SNAT is not configured on VS1 and VS2. The configuration of the two VS is the same, the only difference is that the number of connections of VS1 will exceed 10,000 and the number of connections of VS2 is only about 200
- Mayur_Sutare
There may be couple of reasons for such behavior. Actually i was trying to figure out it one-by-one but i could have done it in one go (my mistake).
With CMP enabled state, F5 may change source port to keep the client-side and server-side traffic on the same TMM. Here F5 ignores Preserve setting.
https://support.f5.com/csp/article/K14358
Mayur
- 1qaz
thanks to Mayur!I think as you said, CMP may be the real reason of all this. I think I can insert the source address and source port in the http header, and get the source port of the client by irule. Thanks again!
when HTTP_REQUEST {
HTTP::header insert Cliet_IP_port [IP::client_addr]:[TCP::client_port]
}
Haldema1nWe would prefer not to change the source port we need it to stay same. Any assist will with being thankful LiteBlue USPS.
- Mayur_Sutare
,
There is one option to achieve this. Keeping Source Port setting to 'Preserve Strict' under Virtual Server Advanced Configuration. But be careful before doing such configuration. Kindly go through below article and verify prerequisites required.
https://support.f5.com/csp/article/K11003
Hope it helps!
Mayur
