Forum Discussion
NimbostratusVIP Issue
Hi Experts,
We have a VIP with pool members doing asymmetric routing causing the reply packet to bypass F5 and goin directly to upstream router. For this reason, url mapped to the VIP is not working.
I know we can make this work with snat on the VIP forcing reply pkt from pool members. But using snat hides source IP but we want to see the actual source IP.
how can this be done?
thanks - genseek
3 Replies
- Kevin_Stewart
Employee
For this reason, url mapped to the VIP is not working.
Is it that requests aren't going to the VIP, or that you're not seeing the reply? I'm assuming the latter. Do you have a specific need for asymmetric routing? Otherwise, you could simply make the BIG-IP's internal self-IP address the default gateway for the back end servers, or depending on protocol, inject the client's true source into the ingress packets or headers.
robert_merkel_7You could enable SNAT, and then use an HTTP profile with "Insert X-Forwarded-For" enabled. This will send the client side IP address info in the HTTP header, but would require an XFF aware application.- Kevin_Stewart
We are not doing asymmetric routing using snat. What i meant was asymmetric routing is causing reply pkt to bypass f5.
Ah, I see. So if understand correctly, asymmetric routing is not your intention, but because the server can route directly back to the client, the replies are bypassing the F5. You have a few options:
-
Make the servers use the F5 as their default gateway.
-
Apply SNAT and inject the client's source into the payload or header.
If this is HTTPS traffic, you'll need to offload the SSL at the F5 to be able to insert an HTTP header. You can optionally re-encrypt but it isn't expressly required. You can apply an HTTP profile with the XFF option enabled, or you can do the same in an iRule.
-
