Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Backend server IP not visible in TCP dump

F5_LB_Eng
Cirrostratus
Cirrostratus

Hi ,

i am not able to see client IP in the TCP dump .. i see the client IP and LB - VIP only.

but i am able to reach the page , but its not showing server IP in the tcp dump.

below tcp dump co

tcpdump -s0 -nni 0.0:nnnp host 10.10.10.xx and port 443

 

 

1 ACCEPTED SOLUTION

Hi F5_LB_ENG,

> Answer to:   tcpdump -p

Check the KB article Omar2 send you. The -p option does not work for HTTP2.

> Answer to 1.) 

No. I dont recommend to used the HTTP MRF Router in Gateway mode. Way too many trouble and limitations.

> Answer to 2.) 

I noticed the same. The functionality of the HTTP MRF Router in Gateway mode is somehow pure annoying and causes headaches. But miliage may vary... 

> Answer to 3.) 

Lots of fixes and also new issues. Some symtoms are only valid for if you use HTTP MRF Router and some are valid if you dont use HTTP MRF Router. I found the problems without using HTTP MRF Router more acceptable so far. Right now I dont have any known issues on my agenda using latest v16.

> Answer to 4.)

Plenty of them. Check the f5 support page and take some time for a reading. 

> Answer to 5.)

Use it only for HTTP/2 full-proxy mode (HTTP MRF Router must be enabled in this specific case). Try to avoid the use of iRules or Local Traffic Policies and unnecessary features. Try to run this setup in a clean 1:1 VS->Pool mapping by using VS settings only. Thats probably the best usecase for it right now.

Cheers, Kai 


iRule can do… 😉

View solution in original post

5 REPLIES 5

Kai_Wilke
MVP
MVP

Hi F5_LB_Eng,

depending on your setup, the client side and server side connection may use different ingress/egress interfaces and/or src_ip and dst_ip combinations. In a typical SNAT enabled deployment you will see two connections...

CLIENT_IP -> VS_IP || SNAT_IP -> SERVER_IP  

You may try to capture the traffic with a more specific expression including the client-connection as well as server-connection...

~ # tcpdump -s0 -nni 0.0:nnnp '(host 1.1.1.1 and host 2.2.2.2 and port 443) or (host 3.3.3.3 and host 4.4.4.4 and port 443)'

 Cheers, Kai


iRule can do… 😉

Omar2
Cirrus
Cirrus

Hello,

This happened when for example you have an i-rule to select between different pools "different dest IP combination" and the solution is to set the host addresses or other details specific to the peers as the KB below:

https://support.f5.com/csp/article/K87524842

F5_LB_Eng
Cirrostratus
Cirrostratus

Hi ,

thanks for you reply..

the issue is  tcpdump -p does not catch server-side traffic in HTTP/2 Gateway-mode

i see the traffic from client to lb and it doest catch server side traffic

1. Can the profile "httprouter" safely used in HTTP/2 Gateway-mode in Rel. 16.1.x?
2. Because we observed a lot of bugs when profile "httprouter" was redundantly used in http/2 Gateway-Mode.
3. Were there any change in usage of profile "httprouter" in Rel. 16.1.x compared to Rel. 15.1.x?
4. Is this behavior a SW-bug?
5. On what condition we need to use httprouter in the profile ..

if we add the httprouter in the profile i can see the server side IP in the tcp dump

Hi F5_LB_ENG,

> Answer to:   tcpdump -p

Check the KB article Omar2 send you. The -p option does not work for HTTP2.

> Answer to 1.) 

No. I dont recommend to used the HTTP MRF Router in Gateway mode. Way too many trouble and limitations.

> Answer to 2.) 

I noticed the same. The functionality of the HTTP MRF Router in Gateway mode is somehow pure annoying and causes headaches. But miliage may vary... 

> Answer to 3.) 

Lots of fixes and also new issues. Some symtoms are only valid for if you use HTTP MRF Router and some are valid if you dont use HTTP MRF Router. I found the problems without using HTTP MRF Router more acceptable so far. Right now I dont have any known issues on my agenda using latest v16.

> Answer to 4.)

Plenty of them. Check the f5 support page and take some time for a reading. 

> Answer to 5.)

Use it only for HTTP/2 full-proxy mode (HTTP MRF Router must be enabled in this specific case). Try to avoid the use of iRules or Local Traffic Policies and unnecessary features. Try to run this setup in a clean 1:1 VS->Pool mapping by using VS settings only. Thats probably the best usecase for it right now.

Cheers, Kai 


iRule can do… 😉