F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Feb 17, 2016

SNAT will not be perform

It seems I have a strange issue at the moment. I've a HTTPS VS with SNAT automap enabled, but when I sniffer the traffic I always see the real client-IP as source on the serverside connection. I also...
application delivery
LTM
snat
Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Mar 09, 2016

Yes I can confirm traffic is hitting the correct VIP and also iRule with selective snat automap will be triggered correctly. This is what I see with tcpdump (10.10.10.10 is just a dummy to hide the real source-IP):

tcpdump -ni 0.0:nnnp host 10.10.10.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 96 bytes
17:46:55.901915 IP 10.10.10.10.27641 > 10.173.166.11.https: S 1976048938:1976048938(0) win 65535 
17:46:55.901979 IP 10.173.166.11.https > 10.10.10.10.27641: S 3089042794:3089042794(0) ack 1976048939 win 4380 
17:46:55.919357 IP 10.10.10.10.27641 > 10.173.166.11.https: . ack 1 win 12047 
17:46:55.959480 IP 10.10.10.10.27641 > 10.173.166.11.https: P 1:229(228) ack 1 win 12047 
17:46:55.959611 IP 10.173.166.11.https > 10.10.10.10.27641: P 1:111(110) ack 229 win 1095 
17:46:56.056289 IP 10.10.10.10.27641 > 10.173.166.11.https: . ack 111 win 12047 
17:46:56.056297 IP 10.173.166.11.https > 10.10.10.10.27641: P 111:212(101) ack 229 win 1152 
17:46:56.112440 IP 10.10.10.10.27641 > 10.173.166.11.https: P 229:336(107) ack 212 win 12047 
17:46:56.112472 IP 10.173.166.11.https > 10.10.10.10.27641: . ack 336 win 1178 
17:46:56.112588 IP 10.173.166.11.https > 10.10.10.10.27641: . ack 336 win 1178 
17:46:56.137599 IP 10.10.10.10.27641 > 10.173.166.11.https: P 336:725(389) ack 212 win 12047 
17:46:56.137634 IP 10.173.166.11.https > 10.10.10.10.27641: . ack 725 win 1276 
17:46:56.139502 IP 10.10.10.10.33855 > 10.174.102.12.us-cli: S 3119386950:3119386950(0) win 4380 
17:46:57.139571 IP 10.10.10.10.33855 > 10.174.102.12.us-cli: S 3119386950:3119386950(0) win 4380 
17:46:58.139227 IP 10.10.10.10.33855 > 10.174.102.12.us-cli: S 3119386950:3119386950(0) win 4380 
17:46:59.139457 IP 10.10.10.10.33855 > 10.174.102.12.us-cli: S 3119386950:3119386950(0) win 4380

As you can see the last four packets are unsuccessful SYN-requests, because the source-IP is still the same and response is not getting back to the LB. Any idea how I can further analyze this? I mean SERVER_CONNECTED event in an iRule will not be trigger, because the TCP-handshake is not successful.

Ciao Stefan 🙂