Forum Discussion

McClane_62901's avatar
Icon for Nimbostratus rankNimbostratus
Jul 13, 2009

ssh virtualserver

Hello...I've got a virtual server, x.x.x.42:22, which points to a pool,, using a "Standard" type, and all works well...except the sshd sees my connection as coming from the F5 ("last" shows F5 IP,, and not from the IP address I'm really coming from. How can I get the F5 to pass the source IP address along correctly to sshd, or any other service I have running?



Thanks in advance,


8 Replies

  • On the Virtual server x.x.x.42:22 do you have SNAT: Automap setting turned on?



  • That is the source of why you see the same source address. Setting SNAT Pool to AutoMap is going to change the source ip address of the egress interface of the F5, which is what is happening in your situation. Is there any reason why you need SNAT set to Auto map?



  • Either way...I've set "SNAP Pool" to "None", and to "Auto Map", and the outcome is the same. I'm still seeing the F5's IP, and not my IP when sshing through.



    Thanks for the help,
  • Nope, there are no iRules for this virtualserver. If it makes anything clearer....I have the same setup of virtualservers->pools for my webservers, and currently I need to rely on the X-FORWARDED-FOR header to get my webserver logs to be correct. Other services however don't have http headers....
  • As cmbhatt was suggesting, there are a few different places that SNAT can be enabled/disabled. You could have an iRule specifying SNAT; SNAT enabled on the virtual server, or a global SNAT. Finally, you can have SNAT enabled/disabled at the pool level. Having SNAT enabled on the pool alone won't trigger SNAT'ing to take place. It must be enabled in another place as well. But you can prevent SNAT from being using for traffic to a specific pool by disabling it on the pool.



    If you've already disabled the first two, and still see the source address as LTM, you can check under Local Traffic >> SNATs >> SNAT list for a globally applied SNAT.



    Assuming there is a global SNAT, you could either change it to not match this traffic or more ideally, disable SNAT on the SSH pool.



  • Ah....thanks a lot! I didn't check the global SNAT declarations, but I'm going to assume this is the case, as I "disallow SNAT"'d on the pool's advance options, and this seems to have done it! Thank you very much, both cmbhatt and hoolio!