I have a question, my VS is useing snat, with X-forward-for in http_profile, but I see some source addresses are not obtained? I also noticed that all the lost source addresses are okhttp,why?Thanks for any help!

OkHttp is an HTTP client that's efficient by default: ... If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails. Could you please share what kind of VS config is there.Please run this command list ltm virtual <name-of-VS> details

thanks to Sachin-Garg,list ltm virtual VS_CRM_NLFK_9080 ltm virtual VS_CRM_NLFK_9080 { destination 134.175.22.206:glrpc ip-protocol tcp mask 255.255.255.255 pool Pool_CRM_NLFK_9080 profiles { http_yuanIP { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 131}

You said , you are suing SNAT but i can see its Automap(which will use the self ip of your internal interface to source nat the source IP address), you can also use any static IP instead of Automap in case you want to use that IP to be used for SNAT Purpose. Just in case but this one also ok if it is not causing any issue, Can you please share the details of your http profile by running following commands in tmsh mode list ltm profile http http_yuanIP details for checking the connection details on your VIP show sys connection | grep 134.175.22.206 Best Regards Sachin Garg

thanks,I noticed that only okhttp has no source address, but okhttp does not always appear list ltm profile http http_yuanIP ltm profile http http_yuanIP { app-service none defaults-from http insert-xforwarded-for enabled show sys connection | grep 134.175.22.206106.19.5.121:50700 134.175.22.206:9091 106.19.5.121:50700 134.176.1.228:9091 tcp 63 (tmm: 3) none106.16.132.94:41796 134.175.22.206:9091 106.16.132.94:41796 134.176.1.228:9091 tcp 38 (tmm: 3) none106.18.147.4:12642 134.175.22.206:9080 134.176.1.196:16260 134.176.1.225:9090 tcp 58 (tmm: 2) none106.17.200.187:30317 134.175.22.206:9080 134.176.1.196:49075 134.176.1.226:9090 tcp 64 (tmm: 1) none223.150.23.248:15461 134.175.22.206:9080 134.176.1.196:58407 134.176.1.226:9090 tcp 92 (tmm: 1) none106.19.3.31:15369 134.175.22.206:9080 134.176.1.196:35483 134.176.1.226:9090 tcp 137 (tmm: 1) none220.202.118.3:21709 134.175.22.206:9080 134.176.1.196:60991 134.176.1.225:9090 tcp 250 (tmm: 1) none106.16.162.55:51031 134.175.22.206:9091 106.16.162.55:51031 134.176.1.227:9091 tcp 31 (tmm: 0) none106.16.156.197:62938 134.175.22.206:9080 134.176.1.196:54220 134.176.1.225:9090 tcp 35 (tmm: 2) none58.45.29.238:26466 134.175.22.206:9080 134.176.1.196:24216 134.176.1.226:9090 tcp 284 (tmm: 2) none106.16.150.173:43584 134.175.22.206:9091 106.16.150.173:43584 134.176.1.227:9091 tcp 11 (tmm: 3) none106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none118.251.19.94:49046 134.175.22.206:9091 118.251.19.94:49046 134.176.1.227:9091 tcp 55 (tmm: 1) none

As you can see the 1st Column = Real Source IP:port2nd Column = VIP:port 3rd Column = SNAT Source IP:port using Self IP of Internal Interface4th Column = Pool Member:port Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member 1st column is same to 3rd column 106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none But for the another VIP 134.175.22.206:9080 the 1st column IP is changing with your F5 Self IP of Internal Interface or SNAT IP 134.176.1.196 in the 3rd Column:223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none Can you please compare the 2 VIPs config and share: VIP 134.175.22.206:9091 - Client IP address is visible to the pool memberVIP 134.175.22.206:9080 - Client IP address is NOT visible to the pool member

a problem about get source address through X-forward-for

11 Replies

Sachin-Garg
Altostratus
Jun 05, 2020
OkHttp is an HTTP client that's efficient by default: ... If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails.

Could you please share what kind of VS config is there.
Please run this command

list ltm virtual <name-of-VS> details
- 1qaz
  Nimbostratus
  Jun 05, 2020
  thanks to Sachin-Garg,
  list ltm virtual VS_CRM_NLFK_9080
  ltm virtual VS_CRM_NLFK_9080 {
    destination 134.175.22.206:glrpc
    ip-protocol tcp
    mask 255.255.255.255
    pool Pool_CRM_NLFK_9080
    profiles {
      http_yuanIP { }
      tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
      type automap
    }
    vs-index 131
  }
Sachin-Garg
Altostratus
Jun 05, 2020
You said , you are suing SNAT but i can see its Automap(which will use the self ip of your internal interface to source nat the source IP address), you can also use any static IP instead of Automap in case you want to use that IP to be used for SNAT Purpose. Just in case but this one also ok if it is not causing any issue,

Can you please share the details of your http profile by running following commands in tmsh mode

list ltm profile http http_yuanIP details

for checking the connection details on your VIP

show sys connection | grep 134.175.22.206

Best Regards

Sachin Garg
- 1qaz
  Nimbostratus
  Jun 05, 2020
  thanks,I noticed that only okhttp has no source address, but okhttp does not always appear
  
  list ltm profile http http_yuanIP
  ltm profile http http_yuanIP {
    app-service none
    defaults-from http
    insert-xforwarded-for enabled
  
  show sys connection | grep 134.175.22.206
  106.19.5.121:50700   134.175.22.206:9091  106.19.5.121:50700   134.176.1.228:9091  tcp  63  (tmm: 3) none
  106.16.132.94:41796  134.175.22.206:9091  106.16.132.94:41796  134.176.1.228:9091  tcp  38  (tmm: 3) none
  106.18.147.4:12642   134.175.22.206:9080  134.176.1.196:16260  134.176.1.225:9090  tcp  58  (tmm: 2) none
  106.17.200.187:30317  134.175.22.206:9080  134.176.1.196:49075  134.176.1.226:9090   tcp  64  (tmm: 1) none
  223.150.23.248:15461  134.175.22.206:9080  134.176.1.196:58407  134.176.1.226:9090   tcp  92  (tmm: 1) none
  106.19.3.31:15369   134.175.22.206:9080  134.176.1.196:35483  134.176.1.226:9090   tcp  137  (tmm: 1) none
  220.202.118.3:21709  134.175.22.206:9080  134.176.1.196:60991  134.176.1.225:9090   tcp  250  (tmm: 1) none
  106.16.162.55:51031  134.175.22.206:9091  106.16.162.55:51031  134.176.1.227:9091   tcp 31  (tmm: 0) none
  106.16.156.197:62938  134.175.22.206:9080  134.176.1.196:54220  134.176.1.225:9090  tcp  35  (tmm: 2) none
  58.45.29.238:26466   134.175.22.206:9080  134.176.1.196:24216  134.176.1.226:9090  tcp  284  (tmm: 2) none
  106.16.150.173:43584  134.175.22.206:9091  106.16.150.173:43584  134.176.1.227:9091   tcp  11  (tmm: 3) none
  106.19.21.235:56092  134.175.22.206:9091  106.19.21.235:56092  134.176.1.227:9091   tcp  48  (tmm: 3) none
  223.152.95.189:37259  134.175.22.206:9080  134.176.1.196:29241  134.176.1.225:9090   tcp  67  (tmm: 3) none
  118.251.19.94:49046  134.175.22.206:9091  118.251.19.94:49046  134.176.1.227:9091  tcp  55  (tmm: 1) none
Sachin-Garg
Altostratus
Jun 05, 2020
As you can see the

1st Column = Real Source IP:port
2nd Column = VIP:port

3rd Column = SNAT Source IP:port using Self IP of Internal Interface
4th Column = Pool Member:port

Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

1st column is same to 3rd column

106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none

But for the another VIP 134.175.22.206:9080 the 1st column IP is changing with your F5 Self IP of Internal Interface or SNAT IP 134.176.1.196 in the 3rd Column:
223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none

Can you please compare the 2 VIPs config and share:

VIP 134.175.22.206:9091 - Client IP address is visible to the pool member
VIP 134.175.22.206:9080 - Client IP address is NOT visible to the pool member
Sachin-Garg
Altostratus
Jun 05, 2020
Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

1st column is same to 3rd column

106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none

In that case your pool member 134.176.1.227:9091 will response directly to the Client IP 106.19.21.235:56092 bypassing F5 load balancer , are you seeing any asymmetric routing issue on this VIPs
- 1qaz
  Nimbostratus
  Jun 05, 2020
  thanks,
  VIP 134.175.22.206:9091 don't use SNAT，no automap
Sachin-Garg
Altostratus
Jun 05, 2020
So do you feel your issue resolved/explained or would you like me to look into anything further. Kindly let me know.
- 1qaz
  Nimbostratus
  Jun 05, 2020
  Thank you very much for your help, my colleague suggested that I cancel the snat on VS 134.175.22.206:9080 to solve this problem, and I am considering accepting his suggestion
Sachin-Garg
Altostratus
Jun 05, 2020
Can you please mark it as resolved if no further assistance needed.
- 1qaz
  Nimbostratus
  Jun 05, 2020
  thanks to Sachin-Garg,I decided to cancel SNAT to get the source address because SNAT is not necessary, thank you for your help, thanks again!

Forum Discussion

a problem about get source address through X-forward-for

11 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Performance L4 VS - HTTPS [X-forwarded-for]

X-Forwarded-For Log Filter for Windows Servers

X Forwarded For Single Header Insert