Forum Discussion
SNAT POOL AUTOMAP ISSUE
Hi: Here is the topology:
Client-192.168.81.61--------F5-130.97.120.19---------------Server-130.97.121.131
the client(192.168.81.61) want to connect the server(130.97.121.131) with a virtual ip 192.168.120.131:9000.For this purpose,I configure a standard VS at LTM using a vitual IP 192.168.120.131:9000.If I choose AUTOMAP as my SNAT POOL,the connection is fine,but the source ip will translate to 130.97.120.19,and I really don't want this happen.If I set SNAT POOL to NONE,then the source IP remain to 192.168.81.61,but the tcp connection will fail...In order to find out what's going on,I do some captue in both client and server
For client, I can see these packet:
192.168.81.61----SYN---->192.168.120.131
192.168.120.131---SYN ACK---->192.168.81.61
192.168.81.61---ACK--->192.168.120.131
For server, I can only see these packet
192.168.81.61---SYN--->130.97.121.131
130.97.121.131---SYN ACK--->192.168.81.61
Apparently,the ACK from F5 to server is missing,I don't know why F5 wouldn't send the ACK.But when I used the AUTO MAP at SNAT POOL,F5 would send the ACK,that's why the connection can be success.
Have anybody met this issue before? Appreciate for your helpging.
- nitass_89166Noctilucent
what is default gateway of server? is it f5?
- nick871230_1404Nimbostratusno, it's not.it's a router actually,then the router connect the F5
- nitassEmployee
what is default gateway of server? is it f5?
- nick871230_1404Nimbostratusno, it's not.it's a router actually,then the router connect the F5
- nick871230_1404NimbostratusPS. the version of my F5 is BIG-IP 10.2.4 Build 817.0 Hotfix HF7
- nitassEmployee
no, it's not.it's a router actually,then the router connect the F5
the return traffic must go through f5. if i am not wrong, the article below explains what you are experiencing.
Quick Start: Application Delivery Fundamentals by Josh Michaels
hope this helps.
- Narendren_SNimbostratus
Hi Nick, I understood it is a single arm LB setup where your backend servers are not behind the LB.
In this setup, you should enable SNAT to achieve the symmetric traffic flow as shown below.
By Assuming Server's gateway as your L3 device which is having internet connection
Forward Path End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server ! Reverse Path Backend server-->L3 Device-->Loadbalancer-->L3 Device-->Internet-->End Client
In case, if SNAT is not enabled, then traffic flow will be assymetric as shown below
Forward Path End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server ! Reverse Path Backend server-->L3 Device-->Internet-->End Client
The traffic flow should be symmetric to control and process the traffic completely by Load balancer and firewall.
So, in the single arm setup (If server gateway is not LB), please enable SNAT (Auto-map).
It will solve your issues.
Function of SNAT
If SNAT is enabled at LB, at TCP/HTTP header source IP of client requests get changed to Interface IP of loadbalance on which backend servers are routed.(obviously only one production NIC at single arm setup).
Since the traffic from LB to backend server communication source IP will be Loadbalancer interface IP, response traffic from server will be get back to the load balancer. And loadbalancer will process the traffic and respond back to the end client.
In case, if SNAT is not enabled, Processing of response traffic at LB will not happen and hence the connection failure.
If there is a firewall as your WAN L3 device, it will also drop asmmetric connections, since it's behavior is also to drop the asymmetric connections by default.
- Narendren_SNimbostratus
Additionally if your server want to get the end client IP details, you can use x-forwarded-for field at http header at your application.
At LB http profile, enable the X-forwarded-for option which will insert the client IP address in the X-forwarded field of http header.
At your application server, code it to understand the x-forwarded field at http header.
That's it.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com