Forum Discussion
What_Lies_Bene1
Cirrostratus
CirrostratusTCP Traffic Path Diagram
Hi all,
It's bugged me ever since I looked at the ADF exam blueprint that there still wasn't a definitive document or diagram available that described or showed the TCP Traffic Path and Order of Operations of a packet passing through an F5. I'm aware of the BigIP Path Graph v1.7 from Red Education but that's five years old and hasn't been subject to any review. To that end I've recently started my own as you can see below.
Comments and more importantly corrections or queries are encouraged. Note as it stands I've not added many iRule events as I'd like to get the flow and order sorted first. I'm pretty sure what I've done is mostly correct but I'd love some review before I continue and finish off the server side operations. Many thanks in advance. You may need to right-click, open image/in new tab to see it full size.
New version - December 2015:
Carlande_DesarmNimbostratus
Hello all,
-
anyone has a comment when it comes to NFVS vs VS? what is the precedence order for VS, NAT, SNAT, NFVS please?
-
also, somewhere in the documentations it is said that SNAT is preferred over NAT and somewhere else it mentions reversely that NAT is preferred over SNAT... like in this article: https://support.f5.com/csp/article/K9038
Please help clarifying the correct statement for these 2 points. Thanks.
-
M_2Altocumulus
Helpfull :)
KarimHello,
I just wanted to say that the FLOW_INIT is triggered after packet filter. It was well represented in version 0.1 however in version 0.5 the "Packet filter on VLAN" was moved down below "AFM/TMM Processing begins" .
Could you please explain why you made such a modification ?
boneyardMVP
ah now i see it, i didn't notice the two pictures. well we touched the question a few times, perhaps Steven will pop up and explain :)
- Karim
boneyard, We are saying the same thing: If the packet filter blocks the packet we'll not get the flow init event.
However, the diagram v0.5, the flow_init box is represented before the packet filter box. Which seems to say that whether we're blocked or not by packet filter we always get the flow init event (which I think is incorrect)
You can see that in v0.1 of the diagram, the flow_init box was set after the packet filter box, which make more sens for me.
Thanks,
- boneyard
are you really sure Karim? logically i would say that FLOW_INIT doesnt trigger if a packet filter already has blocked the connection to start with.
this is where What Lies Beneath determined the situation i believe: https://devcentral.f5.com/questions/the-flow_init-event-and-event-order
if i test this and block traffic with a packet filter i don't get a FLOW_INIT event, if i remove the packet filter i get it, tells me the diagram is ok.
Karim_Benyello1Cirrus
Hello,
I just wanted to say that the FLOW_INIT is triggered after packet filter. It was well represented in version 0.1 however in version 0.5 the "Packet filter on VLAN" was moved down below "AFM/TMM Processing begins" .
Could you please explain why you made such a modification ?
- boneyard
ah now i see it, i didn't notice the two pictures. well we touched the question a few times, perhaps Steven will pop up and explain :)
- Karim_Benyello1
boneyard, We are saying the same thing: If the packet filter blocks the packet we'll not get the flow init event.
However, the diagram v0.5, the flow_init box is represented before the packet filter box. Which seems to say that whether we're blocked or not by packet filter we always get the flow init event (which I think is incorrect)
You can see that in v0.1 of the diagram, the flow_init box was set after the packet filter box, which make more sens for me.
Thanks,
- boneyard
are you really sure Karim? logically i would say that FLOW_INIT doesnt trigger if a packet filter already has blocked the connection to start with.
this is where What Lies Beneath determined the situation i believe: https://devcentral.f5.com/questions/the-flow_init-event-and-event-order
if i test this and block traffic with a packet filter i don't get a FLOW_INIT event, if i remove the packet filter i get it, tells me the diagram is ok.
Darrell_Paul_22Has anyone seen this Diagram for 13 code yet?
- Darrell_Paul_22
Engineers looking at our issue have been leaning towards new security features in the 13 code that may be triggered along the path across the path. e.g. you have the ddos notes along this flow. I 'assume' there are newer things in the flow that the F5 Engineers were referring to.
- boneyard
do you have a reason to assume it isn't valid for version 13.x? in principle not much changes, if you have some specific point please mention it.
slesh_219299Hi all Diagram is great , but can someone tell me when traffic is going to vip 443 with SSL offload and irule ... 1 it will hit vip than 2 cert will go first or irule ?
- boneyard
like i said: it doesn't work like that, there will be iRule EVENTs within the iRule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
the image at the start of this question does exaxtly details which iRule EVENTs happen when.
- slesh_219299
yes i mean that . i wanted to know for example like traffic will come to vip it will process all things and what is first what is second will it go for cert first and irule later or ...
- boneyard
you mean if it will hit the irule before or after the SSL offloading? it doesn't work like that, there will be EVENTs within the irule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
Luis_Araujo_560ItĀ“s greate! Well done.
- Karim
Hello Steven
First of all many thanks for this diagram which helps me a lot.
I just want to unsure that I got it right, in the new version diagram :
After the CLIENT_ACCEPTED Irule event and if there's no virtual server matching, we should also have the "Most specific match enabled on ingress" vertical box between the SNAT box and the NAT box, right?
I mean if we only have two object configured on the bigip :
One SNAT that listents for traffics comming from 10.0.0.0/8
One NAT that listents for traffics comming from 10.0.0.1/32
if the client 10.0.0.1 comes, then the NAT will precede the SNAT, right ?
Regards,
Karim
- tatmotiv
Wow great. Two remarks though:
-
Actually, I think in order to be 100% precise at the point where the matching VS is selected, you ought to move the "source permitted" question into the blue box that depicts the selection of the VS, right?
-
Receiving non-SYN packets for a connection which is not included in the connection table does not necessarily lead to the packet being dropped. There might be a fastL4 or TCP profile with loose initiation in place. But I also understand that reflecting all such possibilities in one diagram might be impossible...
-
- xXhd1912Xx_1953
Excellent Diagram!! Just an extra kicker here, Jason Rahm(F5 solution architect) has a video on their Whiteboard Wednesday show. Heres the link. He covers this in "Life of a Packet" https://www.youtube.com/watch?v=bYfcNIndSPQ
What_Lies_Bene1Thanks, I'll check it out. Cheers