Forum Discussion

Enfield303's avatar
Enfield303
Icon for Nimbostratus rankNimbostratus
Dec 31, 2020

Persistence and NAT

Hello, we're using an F5 BIG IP active/passive cluster to loadbalance Always On VPN connections. To avoid asymmetric routing we're using NAT, so the VPN gateway servers will always see the same IP ad...
application delivery
BIG-IP
persistence
Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP

In that case internal F5 will see all the traffic as coming from the same IP so you won't be able to persist based on source IP. One alternative is to inject X-Forwarded-For header from the upstream device and retrieve it in the LB and persist based on it using an irule. You can find an example here: https://devcentral.f5.com/s/question/0D51T00006i7grt/enable-source-ip-persistence-based-on-x-forwarded-ip-info

Enfield303's avatar
Enfield303
Icon for Nimbostratus rankNimbostratus
Jan 18, 2021

Thanks again Amine; does that work even when my traffic is not HTTP (its port 4500 & 500 UDP VPN traffic)

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jan 18, 2021

    Sorry, I didn't notice that this is for vpn traffic. In this case xff header is not applicable as it only works with http(s) traffic

  • Enfield303's avatar
    Enfield303
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2021

    If we disabled SNAT on all the devices above the internal F5s, do you hink that would work?

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jan 18, 2021

    Yes it should. And if you have two VS one for 500 and a second for 4500 you'll likely need to share persistence between them using the Match Across Services of the persistence profile.