For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vernon_97235's avatar
Vernon_97235
Historic F5 Account
Jul 29, 2015

I would recommend using 

tcpdump
to look at the traffic flow:

and check /var/log/ltm to ensure that there are no errors. Since you have the http profile applied, the flow should look like this in a tcpdump:

 CLIENT                     BIG-IP                  SERVER
         --- SYN      --->    |
         <-- SYN/ACK  ---     |
         --- ACK      --->    |
         ---  --->    |
                              +  --- SYN      --->
                              + <--- SYN/ACK  ---
                              +  --- ACK      --->
                              +  ---  --->

where REQHDR are the request headers. On the second half (between the BIG-IP and the SERVER), the source address will be the SNAT source address (172.16.254.50).

Having said all of that, the SNAT source address on the BIG-IP (172.16.254.50) must be able to reach the public addresses (since it's an RFC 1918 address, I assume it is subject to further address translation somewhere else?) and there must be a route back to that address.

  • Vishal_Bhugra_1's avatar
    Vishal_Bhugra_1
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2015
    I did the packet capture, but I do see the HTTP header, But I am not sure how can How can I capture the server side. I have only one vlan and a default route. The SNAT SOURCE 172.16.254.50 is behind the Firewall, where it is getting NAT. Will it work ?