Forum Discussion

GeneUWG_150657's avatar
GeneUWG_150657
Icon for Nimbostratus rankNimbostratus
Jul 22, 2015

Routing udp syslog through F5 LTM without losing source IP

I am trying to figure out how to route udp syslog messages through my F5's without it modifying the source IP. I can get the messages through when I setup a "Standard" virtual server with Auto Map enabled but that changes the IP. No other setting I have tried actually lets the message get to the backend nodes. Any help would be greatly appreciated.

 

FWIW, the use case here is this:

 

(udp syslog from switches) -> LTM -> (pool of Logstash servers) -> Redis -> (Logstash indexer) -> Elasticsearch

 

The reason for the LTM is both HA and load balancing. The LTM is in an active / standby pair and there are multiple Logstash servers in the pool. This gives me both reliability and performance.

 

  • I am having an issue understanding why UDP syslog packets are requiring SNAT - there is no reply packet for syslog, so nothing need to go back to the LTM/client.

     

    Is there a firewall that is blocking packets that do not have the appropriate source address (i.e. an LTM address)?

     

    Maybe you need a packet capture to see where the packets are going once they leave the LTM.

     

  • I'm not sure about UDP.

     

    but Can logstash server have F5 as default gateway? So you don't need to enable snat automap.