Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Backend server IP not visible in TCP dump

Go to solution
F5_LB_Eng
Cirrostratus
Cirrostratus

‎01-Dec-2022 00:36

Hi ,

i am not able to see client IP in the TCP dump .. i see the client IP and LB - VIP only.

but i am able to reach the page , but its not showing server IP in the tcp dump.

below tcp dump co

tcpdump -s0 -nni 0.0:nnnp host 10.10.10.xx and port 443

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Kai_Wilke
MVP
MVP
In response to F5_LB_Eng

‎14-Dec-2022 09:57 - edited ‎14-Dec-2022 10:00

Hi F5_LB_ENG,

> Answer to:   tcpdump -p

Check the KB article Omar2 send you. The -p option does not work for HTTP2.

> Answer to 1.) 

No. I dont recommend to used the HTTP MRF Router in Gateway mode. Way too many trouble and limitations.

> Answer to 2.) 

I noticed the same. The functionality of the HTTP MRF Router in Gateway mode is somehow pure annoying and causes headaches. But miliage may vary... 

> Answer to 3.) 

Lots of fixes and also new issues. Some symtoms are only valid for if you use HTTP MRF Router and some are valid if you dont use HTTP MRF Router. I found the problems without using HTTP MRF Router more acceptable so far. Right now I dont have any known issues on my agenda using latest v16.

> Answer to 4.)

Plenty of them. Check the f5 support page and take some time for a reading. 

> Answer to 5.)

Use it only for HTTP/2 full-proxy mode (HTTP MRF Router must be enabled in this specific case). Try to avoid the use of iRules or Local Traffic Policies and unnecessary features. Try to run this setup in a clean 1:1 VS->Pool mapping by using VS settings only. Thats probably the best usecase for it right now.

Cheers, Kai 


iRule can do… 😉

View solution in original post

5 REPLIES 5

Go to solution
Kai_Wilke
MVP
MVP

‎01-Dec-2022 02:19

Hi F5_LB_Eng,

depending on your setup, the client side and server side connection may use different ingress/egress interfaces and/or src_ip and dst_ip combinations. In a typical SNAT enabled deployment you will see two connections...

CLIENT_IP -> VS_IP || SNAT_IP -> SERVER_IP  

You may try to capture the traffic with a more specific expression including the client-connection as well as server-connection...

~ # tcpdump -s0 -nni 0.0:nnnp '(host 1.1.1.1 and host 2.2.2.2 and port 443) or (host 3.3.3.3 and host 4.4.4.4 and port 443)'

 Cheers, Kai


iRule can do… 😉
0 Kudos

Go to solution
Omar2
Cirrus
Cirrus

‎12-Dec-2022 18:14

Hello,

This happened when for example you have an i-rule to select between different pools "different dest IP combination" and the solution is to set the host addresses or other details specific to the peers as the KB below:

https://support.f5.com/csp/article/K87524842

0 Kudos

Go to solution
F5_LB_Eng
Cirrostratus
Cirrostratus

‎14-Dec-2022 00:42

Hi ,

thanks for you reply..

the issue is  tcpdump -p does not catch server-side traffic in HTTP/2 Gateway-mode

i see the traffic from client to lb and it doest catch server side traffic

1. Can the profile "httprouter" safely used in HTTP/2 Gateway-mode in Rel. 16.1.x?
2. Because we observed a lot of bugs when profile "httprouter" was redundantly used in http/2 Gateway-Mode.
3. Were there any change in usage of profile "httprouter" in Rel. 16.1.x compared to Rel. 15.1.x?
4. Is this behavior a SW-bug?
5. On what condition we need to use httprouter in the profile ..

0 Kudos

Go to solution
F5_LB_Eng
Cirrostratus
Cirrostratus
In response to F5_LB_Eng

‎14-Dec-2022 00:43

if we add the httprouter in the profile i can see the server side IP in the tcp dump

0 Kudos

Go to solution
Kai_Wilke
MVP
MVP
In response to F5_LB_Eng

‎14-Dec-2022 09:57 - edited ‎14-Dec-2022 10:00

Hi F5_LB_ENG,

> Answer to:   tcpdump -p

Check the KB article Omar2 send you. The -p option does not work for HTTP2.

> Answer to 1.) 

No. I dont recommend to used the HTTP MRF Router in Gateway mode. Way too many trouble and limitations.

> Answer to 2.) 

I noticed the same. The functionality of the HTTP MRF Router in Gateway mode is somehow pure annoying and causes headaches. But miliage may vary... 

> Answer to 3.) 

Lots of fixes and also new issues. Some symtoms are only valid for if you use HTTP MRF Router and some are valid if you dont use HTTP MRF Router. I found the problems without using HTTP MRF Router more acceptable so far. Right now I dont have any known issues on my agenda using latest v16.

> Answer to 4.)

Plenty of them. Check the f5 support page and take some time for a reading. 

> Answer to 5.)

Use it only for HTTP/2 full-proxy mode (HTTP MRF Router must be enabled in this specific case). Try to avoid the use of iRules or Local Traffic Policies and unnecessary features. Try to run this setup in a clean 1:1 VS->Pool mapping by using VS settings only. Thats probably the best usecase for it right now.

Cheers, Kai 


iRule can do… 😉
Copyright © 2023 Khoros, LLC