Forum Discussion

Michael_J__Whee's avatar
Michael_J__Whee
Icon for Nimbostratus rankNimbostratus
Jan 05, 2012

Issues with Backup Software and Forwarding (IP) Virtual Server

We are having issues backing up servers that are behind the F5 devices. They are on the "internal" F5 network, and our backup server is "external" to the F5.

 

 

We have set up a forwarding (ip) virtual server for the "internal" network. However, when we make connections through it, the source IP that the server being backed up sees is the default SNAT IP address.

 

 

 

This breaks the backup process because it relies on DNS resolution to work. So, the server being backed up sees an incoming connection from the SNAT IP, tries to resolve it, and it's different that what it expects, so it bails out.

 

 

 

How do I configure it so that the source IP address is preserved when going through the Forwarding (IP) virtual server? Do I instead need to be using a Forwarding (Layer 2) virtual server?

 

config
design
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 05, 2012
    if you do not need snat, why won't you remove snat from configuration?

     

     

    anyway, if you want to disable snat on forwarding (ip) virtual server only, can you try "snat none" in irule?

     

     

    snat wiki

     

    http://devcentral.f5.com/wiki/iRules.snat.ashx
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 05, 2012
    e.g. 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   ip forward
   destination any:any
   mask 0.0.0.0
}
[root@ve1023:Active] config  b snat snat_all list
snat snat_all {
   automap
   snatpool none
   origins default inet
}

200.200.200.101 is translated to 172.28.19.80 (selfip).

[root@ve1023:Active] config  tcpdump -nni 0.0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
10:23:04.381704 IP 200.200.200.101 > 8.8.8.8: ICMP echo request, id 63498, seq 1, length 64
10:23:04.383676 IP 172.28.19.80 > 8.8.8.8: ICMP echo request, id 63498, seq 1, length 64

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   ip forward
   destination any:any
   mask 0.0.0.0
   rules myrule
}
[root@ve1023:Active] config  b snat snat_all list
snat snat_all {
   automap
   snatpool none
   origins default inet
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        snat none
}
}

after applying the irule, 200.200.200.101 is not translated.

[root@ve1023:Active] config  tcpdump -nni 0.0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
10:24:32.153696 IP 200.200.200.101 > 8.8.8.8: ICMP echo request, id 64266, seq 1, length 64
10:24:32.153863 IP 200.200.200.101 > 8.8.8.8: ICMP echo request, id 64266, seq 1, length 64
  • Michael_J__Whee's avatar
    Michael_J__Whee
    Icon for Nimbostratus rankNimbostratus
    Jan 05, 2012
    The problem is that we need SNAT for certain things, but we also need to be able to back up these servers behind the LTMs.

     

     

    Are there any other solutions that require less overhead than an iRule?