For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

habib_Khan's avatar
habib_Khan
Icon for Nimbostratus rankNimbostratus
Jun 30, 2016

Load-Balancing Client IP and VIP on same subnet- Doesnt work

My vip: 172.27.48.X using SNAT. SNAT is same as VIP IP address Client connecting is from 172.27.48.X Client and LB gateway is 172.27.48.1. From connection table i see below. From connection table i can see the connection is not sent to members. 172.27.48.204%63:53191 172.27.48.96%63:80 any6.any any6.any tcp 11 (slot/tmm: 1/3) none

 

All other connection are getting complete 10.20.128.116%63:59192 172.27.48.96%63:80 172.27.48.96%63:59192 172.27.53.198%63:80 tcp 5 (slot/tmm: 1/0) none

 

Did tcpdump and below is the capture. || cpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 09:13:42.346866 arp reply 172.27.48.96 is-at 00:23:e9:ab:86:0a f5 type 244 len 9 09:13:42.347094 IP 172.27.48.96.80 > 172.27.48.204.62531: S 3066905454:3066905454(0) ack 3572684708 win 4380 09:13:45.346634 IP 172.27.48.96.80 > 172.27.48.204.62531: S 3066905454:3066905454(0) ack 3572684708 win 4380 09:13:51.346867 IP 172.27.48.96.80 > 172.27.48.204.62531: S 3066905454:3066905454(0) ack 3572684708 win 4380 09:14:03.347670 IP 172.27.48.96.80 > 172.27.48.204.62531: S 3066905454:3066905454(0) ack 3572684708 win 4380 09:15:03.609881 arp reply 172.27.48.96 is-at 00:23:e9:ab:86:0a f5 type 244 len 9

 

Kindly let me know what might be causing the issue.

 

application delivery
BIG-IP
LTM

3 Replies

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Jun 30, 2016

    Without knowing your exact setup, its difficult to comment.

     

    Whats your reason for using SNAT ?

     

    It would make logical sense that you would have The VIP on a different VLAN to the server side traffic.

     

  • Mike_Dayton_108's avatar
    Mike_Dayton_108
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2016

    In a one arm configuration using automap can be tricky trying to troubleshoot flows. It maps all flows to the same SNAT address.

     

    An alternate solution is to SNAT to the VIP address with an iRule. This helps you connect the dots when troubleshooting, because the SNAT'd server side traffic will originate from the same IP as the VIP.

     

    when CLIENT_ACCEPTED { snat [IP::local_addr] }