For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nishant_tor_183's avatar
nishant_tor_183
Icon for Nimbostratus rankNimbostratus
Jan 21, 2015

Hi Ed, I was reading through the email that PS tech sent to my architect and in that he made following statements why this will not work, maybe you can shed more light based on that -

 

In a one armed solution some type of SNATing is required for laod balancing to work - either explicit SNAT pools or through AutoMap. You are right that if we don't use any type of SNATing, then the source IP is going to be visible on the end server. But, again if we are using a one armed solution, SNATing is a pre-requisite.

 

If we are using load balancing even with no SNATing, the outside client will not see the IP address of the server, on the return path, the IP address is re-written to be that of the VIP.

 

If we don't SNAT, the IP address of the source is not lost to the server, however, the server address is re-written on the way back to the client.

 

Unless we have the networking architecture to support this scenario - 2 arm network with server's gateway address pointing to F5 floating address, this will not work and you will get TCP RSTs.