a problem about get source address through X-forward-for

1qaz · ‎04-Jun-2020

I have a question, my VS is useing snat, with X-forward-for in http_profile, but I see some source addresses are not obtained? I also noticed that all the lost source addresses are okhttp,why?

Thanks for any help!

Sachin-Garg · ‎04-Jun-2020

OkHttp is an HTTP client that's efficient by default: ... If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails.

Could you please share what kind of VS config is there.

Please run this command

list ltm virtual <name-of-VS> details

1qaz · ‎04-Jun-2020

thanks to Sachin-Garg,

list ltm virtual VS_CRM_NLFK_9080

ltm virtual VS_CRM_NLFK_9080 {

destination 134.175.22.206:glrpc

ip-protocol tcp

mask 255.255.255.255

pool Pool_CRM_NLFK_9080

profiles {

http_yuanIP { }

tcp { }

}

source 0.0.0.0/0

source-address-translation {

type automap

}

vs-index 131

}

Sachin-Garg · ‎04-Jun-2020

You said , you are suing SNAT but i can see its Automap(which will use the self ip of your internal interface to source nat the source IP address), you can also use any static IP instead of Automap in case you want to use that IP to be used for SNAT Purpose. Just in case but this one also ok if it is not causing any issue,
Can you please share the details of your http profile by running following commands in tmsh mode
list ltm profile http http_yuanIP details
for checking the connection details on your VIP
show sys connection | grep 134.175.22.206

Best Regards

Sachin Garg

1qaz · ‎04-Jun-2020

thanks,I noticed that only okhttp has no source address, but okhttp does not always appear

list ltm profile http http_yuanIP

ltm profile http http_yuanIP {

app-service none

defaults-from http

insert-xforwarded-for enabled

show sys connection | grep 134.175.22.206

106.19.5.121:50700 134.175.22.206:9091 106.19.5.121:50700 134.176.1.228:9091 tcp 63 (tmm: 3) none

106.16.132.94:41796 134.175.22.206:9091 106.16.132.94:41796 134.176.1.228:9091 tcp 38 (tmm: 3) none

106.18.147.4:12642 134.175.22.206:9080 134.176.1.196:16260 134.176.1.225:9090 tcp 58 (tmm: 2) none

106.17.200.187:30317 134.175.22.206:9080 134.176.1.196:49075 134.176.1.226:9090 tcp 64 (tmm: 1) none

223.150.23.248:15461 134.175.22.206:9080 134.176.1.196:58407 134.176.1.226:9090 tcp 92 (tmm: 1) none

106.19.3.31:15369 134.175.22.206:9080 134.176.1.196:35483 134.176.1.226:9090 tcp 137 (tmm: 1) none

220.202.118.3:21709 134.175.22.206:9080 134.176.1.196:60991 134.176.1.225:9090 tcp 250 (tmm: 1) none

106.16.162.55:51031 134.175.22.206:9091 106.16.162.55:51031 134.176.1.227:9091 tcp 31 (tmm: 0) none

106.16.156.197:62938 134.175.22.206:9080 134.176.1.196:54220 134.176.1.225:9090 tcp 35 (tmm: 2) none

58.45.29.238:26466 134.175.22.206:9080 134.176.1.196:24216 134.176.1.226:9090 tcp 284 (tmm: 2) none

106.16.150.173:43584 134.175.22.206:9091 106.16.150.173:43584 134.176.1.227:9091 tcp 11 (tmm: 3) none

106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none

223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none

118.251.19.94:49046 134.175.22.206:9091 118.251.19.94:49046 134.176.1.227:9091 tcp 55 (tmm: 1) none

Sachin-Garg · ‎04-Jun-2020

As you can see the

1st Column = Real Source IP:port

2nd Column = VIP:port

3rd Column = SNAT Source IP:port using Self IP of Internal Interface

4th Column = Pool Member:port

Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

1st column is same to 3rd column

106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none

But for the another VIP 134.175.22.206:9080 the 1st column IP is changing with your F5 Self IP of Internal Interface or SNAT IP 134.176.1.196 in the 3rd Column:

223.152.95.189:37259 134.175.22.206:9080 134.176.1.196:29241 134.176.1.225:9090 tcp 67 (tmm: 3) none

Can you please compare the 2 VIPs config and share:

VIP 134.175.22.206:9091 - Client IP address is visible to the pool member

VIP 134.175.22.206:9080 - Client IP address is NOT visible to the pool member

Sachin-Garg · ‎04-Jun-2020

Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

1st column is same to 3rd column

106.19.21.235:56092 134.175.22.206:9091 106.19.21.235:56092 134.176.1.227:9091 tcp 48 (tmm: 3) none

In that case your pool member 134.176.1.227:9091 will response directly to the Client IP 106.19.21.235:56092 bypassing F5 load balancer , are you seeing any asymmetric routing issue on this VIPs

1qaz · ‎05-Jun-2020

thanks,

VIP 134.175.22.206:9091 don't use SNAT，no automap

Sachin-Garg · ‎05-Jun-2020

So do you feel your issue resolved/explained or would you like me to look into anything further. Kindly let me know.

1qaz · ‎05-Jun-2020

Thank you very much for your help, my colleague suggested that I cancel the snat on VS 134.175.22.206:9080 to solve this problem, and I am considering accepting his suggestion

Sachin-Garg · ‎05-Jun-2020

Can you please mark it as resolved if no further assistance needed.

1qaz · ‎05-Jun-2020

thanks to Sachin-Garg,I decided to cancel SNAT to get the source address because SNAT is not necessary, thank you for your help, thanks again!

DevCentral

a problem about get source address through X-forward-for

MFA required on DevCentral