Asymmetric traffic because of closing SAT on VIP
Hi all, I closed SAT (from Automap to None) on the DNS VIP, because of passing through the source IP addresses which make DNS queries to make the Qradar logs meaningfull. I also set the DGW of the DNS nodes behind the VIP as F5 self IP. We started to take the DNS logs to Qradar with the source of the queries, but i realized that the DNS doesn't work for the clients/servers which are at the same subnet with the DNS servers behind the VIP no longer. Because, the DNS servers are returning directly to the client/servers which are at the same subnet, not returning to F5. I have a workaround solution for that case (creating another DNS VIP with the same nodes and setting the SAT as Automap) but with this solution we cannot get the logs for the relative subnet. Any solution to prevent this asymmetric traffic without openning the SAT? (BIG IP LTM 12.1.0) Thanks
Asymmetric traffic because of closing SAT on VIP
Hi all, I closed SAT (from Automap to None) on the DNS VIP, because of passing through the source IP addresses which make DNS queries to make the Qradar logs meaningfull. I also set the DGW of the DNS nodes behind the VIP as F5 self IP. We started to take the DNS logs to Qradar with the source of the queries, but i realized that the DNS doesn't work for the clients/servers which are at the same subnet with the DNS servers behind the VIP no longer. Because, the DNS servers are returning directly to the client/servers which are at the same subnet, not returning to F5. I have a workaround solution for that case (creating another DNS VIP with the same nodes and setting the SAT as Automap) but with this solution we cannot get the logs for the relative subnet. Any solution to prevent this asymmetric traffic without openning the SAT? ThanksHow to Determine Public IP when using a AutoMap SNAT with TCPDUMP?
All, I have a situation where I am trying to determine the Client IP when using AutoMaP on my VIP. I can find the packets I am interested in as they pass from the AutoMap IP to the Pool Members using TCPDUMP. Obviously the SRC IP in my captures always show the F5 AutoMap IP. Is there any way to follow sequence numbers or something else that would reveal the packet as it came to the VIP, if I have packet info going to the Pool Members? What is odd is that I find the packets with Source of the AutoMap and Destination of pool members (not always the same member). In the packet details I find the info I am looking for in this case an FTP login attempt that fails. But if I filter my TCPDUMP using the VIP I never find any of the same kind of payload I see when I filter on the bad login attempt that happens over and over. What could I be missing, at first I thought someone internal was going directly to the server, but if that were true I would expect to see that LAN clients IP instead of the AutoMap... hmmm unless they are in a different subnet and still needing AutoMap. That of course takes me back to the original question... how the heck to I match up capture data coming to a pool member with data coming into VIP? Hopefully this is not stupid.. I figure there has to be away And no, we can't turn of AutoMap for use X-Forward etc. as this is FTP. I am happy to provide capture detail if needed. Raymond