cancel
Showing results for 
Search instead for 
Did you mean: 

a problem about get source address through X-forward-for

1qaz
Nimbostratus
Nimbostratus

I have a question, my VS is useing snat, with X-forward-for in http_profile, but I see some source addresses are not obtained? I also noticed that all the lost source addresses are okhttp,why?

Thanks for any help!

 

0691T000008tVjiQAE.jpg

11 REPLIES 11

Sachin-Garg
Altostratus
Altostratus

OkHttp is an HTTP client that's efficient by default: ... If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails.

 

Could you please share what kind of VS config is there.

Please run this command

 

list ltm virtual <name-of-VS> details

thanks to Sachin-Garg,

list ltm virtual VS_CRM_NLFK_9080 

ltm virtual VS_CRM_NLFK_9080 {

  destination 134.175.22.206:glrpc

  ip-protocol tcp

  mask 255.255.255.255

  pool Pool_CRM_NLFK_9080

  profiles {

    http_yuanIP { }

    tcp { }

  }

  source 0.0.0.0/0

  source-address-translation {

    type automap

  }

  vs-index 131

}

Sachin-Garg
Altostratus
Altostratus
  1. You said , you are suing SNAT but i can see its Automap(which will use the self ip of your internal interface to source nat the source IP address), you can also use any static IP instead of Automap in case you want to use that IP to be used for SNAT Purpose. Just in case but this one also ok if it is not causing any issue,
  2.  
  3. Can you please share the details of your http profile by running following commands in tmsh mode
  4.  
  5. list ltm profile http http_yuanIP details
  6.  
  7. for checking the connection details on your VIP
  8.  
  9. show sys connection | grep 134.175.22.206

 

 

Best Regards

 

Sachin Garg

thanks,I noticed that only okhttp has no source address, but okhttp does not always appear

 

list ltm profile http http_yuanIP 

ltm profile http http_yuanIP {

  app-service none

  defaults-from http

  insert-xforwarded-for enabled

 

show sys connection | grep 134.175.22.206

106.19.5.121:50700   134.175.22.206:9091  106.19.5.121:50700   134.176.1.228:9091  tcp  63  (tmm: 3) none

106.16.132.94:41796  134.175.22.206:9091  106.16.132.94:41796  134.176.1.228:9091  tcp  38  (tmm: 3) none

106.18.147.4:12642   134.175.22.206:9080  134.176.1.196:16260  134.176.1.225:9090  tcp  58  (tmm: 2) none

106.17.200.187:30317  134.175.22.206:9080  134.176.1.196:49075  134.176.1.226:9090   tcp  64  (tmm: 1) none

223.150.23.248:15461  134.175.22.206:9080  134.176.1.196:58407  134.176.1.226:9090   tcp  92  (tmm: 1) none

106.19.3.31:15369   134.175.22.206:9080  134.176.1.196:35483  134.176.1.226:9090   tcp  137  (tmm: 1) none

220.202.118.3:21709  134.175.22.206:9080  134.176.1.196:60991  134.176.1.225:9090   tcp  250  (tmm: 1) none

106.16.162.55:51031  134.175.22.206:9091  106.16.162.55:51031  134.176.1.227:9091   tcp 31  (tmm: 0) none

106.16.156.197:62938  134.175.22.206:9080  134.176.1.196:54220  134.176.1.225:9090  tcp  35  (tmm: 2) none

58.45.29.238:26466   134.175.22.206:9080  134.176.1.196:24216  134.176.1.226:9090  tcp  284  (tmm: 2) none

106.16.150.173:43584  134.175.22.206:9091  106.16.150.173:43584  134.176.1.227:9091   tcp  11  (tmm: 3) none

106.19.21.235:56092  134.175.22.206:9091  106.19.21.235:56092  134.176.1.227:9091   tcp  48  (tmm: 3) none

223.152.95.189:37259  134.175.22.206:9080  134.176.1.196:29241  134.176.1.225:9090   tcp  67  (tmm: 3) none

118.251.19.94:49046  134.175.22.206:9091  118.251.19.94:49046  134.176.1.227:9091  tcp  55  (tmm: 1) none

Sachin-Garg
Altostratus
Altostratus

As you can see the

 

1st Column = Real Source IP:port

2nd Column = VIP:port

 

3rd Column = SNAT Source IP:port using Self IP of Internal Interface

4th Column = Pool Member:port

 

Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

 

1st column is same to 3rd column

 

106.19.21.235:56092  134.175.22.206:9091  106.19.21.235:56092  134.176.1.227:9091   tcp  48  (tmm: 3) none

 

But for the another VIP 134.175.22.206:9080 the 1st column IP is changing with your F5 Self IP of Internal Interface or SNAT IP 134.176.1.196 in the 3rd Column:

223.152.95.189:37259  134.175.22.206:9080  134.176.1.196:29241  134.176.1.225:9090   tcp  67  (tmm: 3) none

 

Can you please compare the 2 VIPs config and share:

 

VIP 134.175.22.206:9091 - Client IP address is visible to the pool member

VIP 134.175.22.206:9080 - Client IP address is NOT visible to the pool member

Sachin-Garg
Altostratus
Altostratus

Here I could see that your another VIP 134.175.22.206:9091 The client original address is visible to the backend pool member

 

1st column is same to 3rd column

 

106.19.21.235:56092  134.175.22.206:9091  106.19.21.235:56092  134.176.1.227:9091   tcp  48  (tmm: 3) none

 

In that case your pool member 134.176.1.227:9091 will response directly to the Client IP 106.19.21.235:56092 bypassing F5 load balancer , are you seeing any asymmetric routing issue on this VIPs

thanks,

VIP 134.175.22.206:9091 don't use SNAT,no automap

Sachin-Garg
Altostratus
Altostratus

So do you feel your issue resolved/explained or would you like me to look into anything further. Kindly let me know.

Thank you very much for your help, my colleague suggested that I cancel the snat on VS 134.175.22.206:9080 to solve this problem, and I am considering accepting his suggestion

Sachin-Garg
Altostratus
Altostratus

Can you please mark it as resolved if no further assistance needed.

thanks to Sachin-Garg,I decided to cancel SNAT to get the source address because SNAT is not necessary, thank you for your help, thanks again!