Let us analyze this from a traffic flow perspective. As a proxy, and in this configuration, the BIG-IP is going to both NAT and SNAT the traffic to the pool member. So let's use some comcrete examples:
- BIG-IP external self-IP: 188.188.1.1
- VIP address: 188.188.1.100
- BIG-IP internal self-IP: 192.168.1.1
- Pool member: 192.168.1.100
Traffic arriving at the BIG-IP VIP has the true client IP and a destination IP of 188.188.1.100 (the VIP). The VIP takes the traffic, decrypts, selects a pool member, NATs (changes the destination address to 192.168.1.100), and then SNATs (changes the source address to 192.168.1.1). So at the pool member, it sees a destination IP of itself, coming from the internal self-IP of the BIG-IP. If you tcpdump at that internal VLAN between the BIG-IP and the pool member, you should see exactly this:
tcpdump -lnni <internal vlan>
It would be useful to do this tcpdump to observe what's actually happening. You might see the client requests coming in, but maybe not going out? Or you might only see health monitor traffic? Either of these will increment the inbound traffic counters.
If you see client traffic coming in, but nothing coming back:
- Is it because the pool member is expecting TLS but you're not re-encrypting? In this case you might see a completed TCP 3-way handshake but then a RST directly after.
- Is it because the pool member is not correctly configured to respond? You could do a curl request from the BIG-IP shell to the server to see if it can respond.
Altostratus
