Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

jrmorris_151361's avatar
jrmorris_151361
Icon for Nimbostratus rankNimbostratus
Sep 26, 2016

NATd traffic from internet not being load balanced

I have a pair of LTMs in my DMZ and am trying to setup a simple VS with pool for http traffic. I use a public IP externally which gets NATd at the firewall to a private address in my VS subnet. I the...
application delivery
LTM
jrmorris_151361's avatar
jrmorris_151361
Icon for Nimbostratus rankNimbostratus
Sep 27, 2016

Yes, my health monitor is passing and it is using port 80. This is a RHEL virtual server.

After changing the VS to PL4, it still fails, and I get the following in the dump. 

[root@SJ505DMZF51:Active:Changes Pending] config  tcpdump -ni 0.0 port 80 and host 70.215.136.16 and not host 10.244.252.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
07:10:04.973074 IP 70.215.136.16.62628 > 10.244.252.82.http: R 3148814787:3148814787(0) ack 4048302278 win 0
07:10:04.973087 IP 10.244.250.29.http > 70.215.136.16.10337: R 4048302278:4048302278(0) ack 3148814787 win 0
07:10:07.295460 IP 70.215.136.16.10357 > 10.244.250.29.http: S 3757643125:3757643125(0) win 55520 
07:10:07.295461 IP 70.215.136.16.10355 > 10.244.250.29.http: S 2017543511:2017543511(0) win 55520 
07:10:07.295511 IP 70.215.136.16.59824 > 10.244.252.82.http: S 3757643125:3757643125(0) win 55520 
07:10:07.295669 IP 10.244.252.82.http > 70.215.136.16.59824: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:07.295679 IP 10.244.250.29.http > 70.215.136.16.10357: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:07.295926 IP 70.215.136.16.33897 > 10.244.252.82.http: S 2017543511:2017543511(0) win 55520 
07:10:07.296043 IP 10.244.252.82.http > 70.215.136.16.33897: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:07.296051 IP 10.244.250.29.http > 70.215.136.16.10355: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:08.293241 IP 70.215.136.16.10355 > 10.244.250.29.http: S 2017543511:2017543511(0) win 55520 
07:10:08.293253 IP 70.215.136.16.33897 > 10.244.252.82.http: S 2017543511:2017543511(0) win 55520 
07:10:08.293323 IP 10.244.252.82.http > 70.215.136.16.33897: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:08.293333 IP 10.244.250.29.http > 70.215.136.16.10355: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:08.295491 IP 10.244.252.82.http > 70.215.136.16.33897: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:08.295501 IP 10.244.250.29.http > 70.215.136.16.10355: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:08.293115 IP 70.215.136.16.10357 > 10.244.250.29.http: S 3757643125:3757643125(0) win 55520 
07:10:08.293136 IP 70.215.136.16.59824 > 10.244.252.82.http: S 3757643125:3757643125(0) win 55520 
07:10:08.293283 IP 10.244.252.82.http > 70.215.136.16.59824: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:08.293297 IP 10.244.250.29.http > 70.215.136.16.10357: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:08.295527 IP 10.244.252.82.http > 70.215.136.16.59824: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:08.295541 IP 10.244.250.29.http > 70.215.136.16.10357: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:10.295532 IP 10.244.252.82.http > 70.215.136.16.33897: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:10.295547 IP 10.244.250.29.http > 70.215.136.16.10355: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:10.295558 IP 10.244.252.82.http > 70.215.136.16.59824: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:10.295575 IP 10.244.250.29.http > 70.215.136.16.10357: S 3885761346:3885761346(0) ack 3757643126 win 14600 
07:10:10.297168 IP 70.215.136.16.10357 > 10.244.250.29.http: S 3757643125:3757643125(0) win 55520 
07:10:10.297183 IP 70.215.136.16.59824 > 10.244.252.82.http: S 3757643125:3757643125(0) win 55520 
07:10:10.297287 IP 70.215.136.16.10355 > 10.244.250.29.http: S 2017543511:2017543511(0) win 55520 
07:10:10.297301 IP 70.215.136.16.33897 > 10.244.252.82.http: S 2017543511:2017543511(0) win 55520 
07:10:10.297421 IP 10.244.252.82.http > 70.215.136.16.33897: S 965825031:965825031(0) ack 2017543512 win 14600 
07:10:10.297433 IP 10.244.250.29.http > 70.215.136.16.10355: S 965825031:965825031(0) ack 2017543512 win 14600

I looked at this in wireshark and am just seeing a ton of retransmissions and spurious retransmissions. Could this have something to do with the way the firewall is performing the NAT?