Hi all, It's bugged me ever since I looked at the ADF exam blueprint that there still wasn't a definitive document or diagram available that described or showed the TCP Traffic Path and Order of Operations of a packet passing through an F5. I'm aware of the BigIP Path Graph v1.7 from Red Education but that's five years old and hasn't been subject to any review. To that end I've recently started my own as you can see below. Comments and more importantly corrections or queries are encouraged. Note as it stands I've not added many iRule events as I'd like to get the flow and order sorted first. I'm pretty sure what I've done is mostly correct but I'd love some review before I continue and finish off the server side operations. Many thanks in advance. You may need to right-click, open image/in new tab to see it full size. New version - December 2015:

Oh, and for the purposes of simplification at this point, I'm assume a standard VS where relevant.

thanks for the diagram. this is exactly what I was looking for.

You're welcome. It's still a work in progress but I'm pretty sure it's accurate.

I have a question specifically regarding after a decision has been made to send a packet to be snatted or routed. If I leave the SNAT setting on my VIP as auto-map I know that the routing and forwarding from there on uses the self-IP of the vlan that is used in the static route. If I have a SNAT Pool implemented is there a decision that is made before the traffic is sent to the routing table? I am new to SNAT Pools. any help you can provide is greatly appreciated.

I don't think there is any difference where routing is concerned. Routing is concerned with the destination, not the source so any changes in the source have no affect. Hope that helps, if not, please do post back.

TCP Traffic Path Diagram

49 Replies

marta_atance_11
Nimbostratus
Nov 28, 2015
Hi, This is a great and very complete diagram. But I have a doubt: When a packet is processed it is first checked if an existing connection in Connection table exists, isn´t it? And it would be great if you could add the Self IPs also to you diagram and the end of it that would be the DROP.
- What_Lies_Bene1
  Cirrostratus
  Dec 01, 2015
  Thanks @Marta. I've shown the connection table check (for non-SYN packets). Unless a connection has shut down uncleanly I believe this is the expected behaviour. Note this is for a standard VS. I'm not entirely clear where SNAT/NAT is concerned, I'll look it up and get back to you. I'm not clear where you'd like me to add the Self IPs - could you elaborate please?
- marta_atance_11
  Nimbostratus
  Dec 01, 2015
  Hi, thank you for replying :) When a packet is process on the BIG-IP, the secuence is: 1) Check connections in Connection Table 2) Packet Filter 3) Virtual server (following order on SOL14800) -> If VS with SNAT (process stops here). Otherwise it goes to Global SNAT. 4) SNAT 5) NAT 6) SELFIP 7) DROP So, in your diagram the "packet filter" is process ahead the "Connection table" (what will only happen with AFM in Firewall mode)... Maybe that´s what you want to show with your diagram.. Is it?
- What_Lies_Bene1
  Cirrostratus
  Dec 01, 2015
  Hey Marta. My understanding is that the packet filtering comes first. It's not an F5 document but see here: https://devcentral.f5.com/d/big-ip-v9-flow-path. However, I have seen documentation (not official) stating it's the way round that you suggest. Not sure how to confirm? I think this confusion is due to the 'Filter established connections' option for a packet filter. I shall investigate further. OK, this seems to confirm what you have asserted Marta: https://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html. I'll update the diagram shortly. DONE. Let me know if I've missed anything else?
andrew_C1
Nimbostratus
Nov 30, 2015
@Aurel , F5 is a statefull default deny box, you have an entry in the conn table for every flow(pair). If you want to use your F5 like a router then you have to make your device as close to a router as possible. Routers dont act on flows they just do Destination lookups. Now back to the default deny bit, if you dont have a flow and your not a syn frame then by default your in the bit bucket to get around this there is the "loose initiation" : which as quoting f5 : "The Loose Initiation option allows the BIG-IP to initialize a connection when any TCP packet is received, rather than requiring a SYN packet for connection initiation." As far as i know from a conn table perspective there is no discrimination between a forward or a standard etc VIP they are all just mappings of translations (inside local, inside global, outside local, outside global)
What_Lies_Bene1
Cirrostratus
Dec 01, 2015
@Aurel, you should be able to see the new version (the second diagram). Note this diagram relates to a standard VS (mainly). The flow/logical steps would be slightly different for a forwarding VS As @Andrew has already noted, if there's no connection table entry and Loose Initiation isn't enabled on a FastL4/Performance, the packet gets dropped. If you're talking about a Forwarding(IP) VS then I'd imagine there is no connection table lookup. I'll double-check and confirm.
jsprattler
Nimbostratus
Dec 02, 2015
Awesome, thank you for putting in the time on this!
xXhd1912Xx_1953
Cirrus
Dec 03, 2015
Excellent Diagram!! Just an extra kicker here, Jason Rahm(F5 solution architect) has a video on their Whiteboard Wednesday show. Heres the link. He covers this in "Life of a Packet" https://www.youtube.com/watch?v=bYfcNIndSPQ
- What_Lies_Bene1
  Cirrostratus
  Dec 03, 2015
  Thanks, I'll check it out. Cheers
tatmotiv
Cirrostratus
Dec 03, 2015
Wow great. Two remarks though:

Actually, I think in order to be 100% precise at the point where the matching VS is selected, you ought to move the "source permitted" question into the blue box that depicts the selection of the VS, right?

Receiving non-SYN packets for a connection which is not included in the connection table does not necessarily lead to the packet being dropped. There might be a fastL4 or TCP profile with loose initiation in place. But I also understand that reflecting all such possibilities in one diagram might be impossible...
KarimBenyelloul
Cirrostratus
Jan 16, 2016
Hello Steven

First of all many thanks for this diagram which helps me a lot.

I just want to unsure that I got it right, in the new version diagram :

After the CLIENT_ACCEPTED Irule event and if there's no virtual server matching, we should also have the "Most specific match enabled on ingress" vertical box between the SNAT box and the NAT box, right?

I mean if we only have two object configured on the bigip :

One SNAT that listents for traffics comming from 10.0.0.0/8

One NAT that listents for traffics comming from 10.0.0.1/32

if the client 10.0.0.1 comes, then the NAT will precede the SNAT, right ?

Regards,

Karim
Luis_Araujo_560
Nimbostratus
Oct 25, 2016
It´s greate! Well done.
slesh_219299
Cirrus
Jan 25, 2017
Hi all Diagram is great , but can someone tell me when traffic is going to vip 443 with SSL offload and irule ... 1 it will hit vip than 2 cert will go first or irule ?
- boneyard
  MVP
  Jan 29, 2017
  you mean if it will hit the irule before or after the SSL offloading? it doesn't work like that, there will be EVENTs within the irule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
- slesh_219299
  Cirrus
  Jan 30, 2017
  yes i mean that . i wanted to know for example like traffic will come to vip it will process all things and what is first what is second will it go for cert first and irule later or ...
- boneyard
  MVP
  Jan 30, 2017
  like i said: it doesn't work like that, there will be iRule EVENTs within the iRule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
  
  the image at the start of this question does exaxtly details which iRule EVENTs happen when.
Darrell_Paul_22
Nimbostratus
Aug 02, 2017
Has anyone seen this Diagram for 13 code yet?
- boneyard
  MVP
  Aug 06, 2017
  do you have a reason to assume it isn't valid for version 13.x? in principle not much changes, if you have some specific point please mention it.
- Darrell_Paul_22
  Nimbostratus
  Aug 07, 2017
  Engineers looking at our issue have been leaning towards new security features in the 13 code that may be triggered along the path across the path. e.g. you have the ddos notes along this flow. I 'assume' there are newer things in the flow that the F5 Engineers were referring to.