tcp_tw_recycle with SNAT
We have very high volume of TIME_WAIT and we are planning to use tcp_tw_recycle TCP setting on Apache Web server so we trash connection faster but many folks saying it will create issue with NAT so before enable i need expert advice should it be safe it to use with LTM (SNAT)?
X-Forwarded-For header
Hi All, My application team requirement is to able to see the actual client ip address whoever accessing the application instead of BIG IP address as SNAT (Auto map) is enabled. I have read some SOL on it and understand that we can achieve this by iRule & HTTP profile. However, my requirement is to have an iRule as we can take decision whether to add X-Forwarded-For header to client requests. Can anyone please share the iRule script pertaining to this requirement. Thanks in advance, MSK
clients and servers are on the same network
Hi folks, We have a load balancing scenario where the Client(10.10.10.10) and nodes (10.10.10.20 and 10.10.10.30) in the same network 10.10.10.0/24. Where the VIP is 20.20.20.20. I am using snat automap with the self ip as 10.10.10.5. When the client initiates the connection to the vip I am seeing the traffic is hitting f5 in the tcpdump, also I am seeing the backend connection from the f5 self ip (10.10.10.5) to one of the nodes(say 10.10.10.20) and finally from the node(10.10.10.20) to the f5 self ip(10.10.10.5) which is perfectly fine. Then I am also seeing some thing strange in the capture where the self ip (10.10.10.5) is directly talking to the client(10.10.10.10). This makes the connection from client unsuccessful all the time. Why is the self ip is trying to talk to client directly? as the client should get the response back from vip instead of self ip. Any suggestions for this asymmetric packet flow. I have tried with snat pool with the ip in same subnet still the issue remains same. Am I missing any thing? ThanksUnable to access virtual server over port 53
I currently have virtual server set up a load balance across three DNS servers. If I issue command "nslookup www.google.com [IP of VS]" from a client machine I'm getting a DNS request time out error. I've verified that the vIP is reachable from the client and it's operational on the BIG-IP. The DNS servers are reachable on the BIG-IP as well and are passing the monitor associated with the pool.
Route domain is not compatible with snat list global
We have problem Route domain is not compatible with snat list global Solution f5 is one arm Existing configuration is we have snat list global for virtual server Now i create new VLAN and route domain when we create snat list global with new route domain is not work Please let me know about this problem
SNAT Issue with two virtual servers
I’m having an issue wrapping my head around setting up SNAT. I think SNAT is what I need. Here is my setup 192.168.103.125 – ip of server hosting IIS site www.siteA.com 192.168.103.1 Default Gateway on server A which is the F5 192.168.100.141 – ip of Virtual server in F5 for siteA 192.168.103.211 – ip of server hosting IIS site www.siteB.com 192.168.103.1 Default Gateway on server B which is the F5 192.168.100.140 – ip of Virtual server in F5 for site B If I try to browse to www.siteB.com from site A server. It won’t work If I try to browse to www.siteA.com from site B server. It won’t work The only way I can get it to work is to create a static route like this to force the destination server to route any traffic back to the source to use to VIP. On server B, I make a route – (route add 192.168.103.125 mask 255.255.255.255 192.168.100.141) If I add the above on server B, I can then browse to www.siteB.com from server A I read through https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1199363 But I’m unsure exactly what to setup. One other thing to add. For some reason when our F5’s were setup years ago. Any of the webservers use route domain 1. I don’t know if that is part of the problem or not Appreciate any help.BIG-IP : virtual-server configuration for snat
BIG-IP 11.4.0 Build 2384.0 Final vip-external-01 is enabled for vlan-external-01 and routes to pool-01 whose members live on vlan-internal-01. vip-external-01 has snat auto-map enabled. vip-internal-01 is enabled for vlan-internal-01 and should be chosen as self-ip for traffic routed by vip-external-01 to pool-01 On vip-external-01 , is it also necessary to enable vlan-internal-01 ? And on vip-internal-01 , is it also necessary to enable vlan-external-01 ? More generally speaking, how to configure a simple network to support a browser-client request sent to vip and routed to the destination web-server with response traveling the reverse path ?BIG-IP : how to determine Self-IP used by SNAT ?
BIG-IP 11.4.0 Build 2384.0 Final On my Virtual Server , I have Source Address Translation = Auto-Map ( I believe this is the same as SNAT , correct ? ) How to determine the Self IP that BIG-IP will substitute-in as the origin IP when routing a request to a pool ?
SNAT POOL AUTOMAP ISSUE
Hi: Here is the topology: Client-192.168.81.61--------F5-130.97.120.19---------------Server-130.97.121.131 the client(192.168.81.61) want to connect the server(130.97.121.131) with a virtual ip 192.168.120.131:9000.For this purpose,I configure a standard VS at LTM using a vitual IP 192.168.120.131:9000.If I choose AUTOMAP as my SNAT POOL,the connection is fine,but the source ip will translate to 130.97.120.19,and I really don't want this happen.If I set SNAT POOL to NONE,then the source IP remain to 192.168.81.61,but the tcp connection will fail...In order to find out what's going on,I do some captue in both client and server For client, I can see these packet: 192.168.81.61----SYN---->192.168.120.131 192.168.120.131---SYN ACK---->192.168.81.61 192.168.81.61---ACK--->192.168.120.131 For server, I can only see these packet 192.168.81.61---SYN--->130.97.121.131 130.97.121.131---SYN ACK--->192.168.81.61 Apparently,the ACK from F5 to server is missing,I don't know why F5 wouldn't send the ACK.But when I used the AUTO MAP at SNAT POOL,F5 would send the ACK,that's why the connection can be success. Have anybody met this issue before? Appreciate for your helpging.APM with multiple routedomains and SNAT automap
Hello! I have this policy 1.Auth user in localDB 2.According to user assign ip lease pool, routedomain and SNAT auto map. So this is not working. When user connecting he got valid ip lease pool but SNAT is not in effect. I tried to make SNAT pool but it's wont work either. In my policy i have first advanced resource assign with webtop and network resourses. Then Route domain selection box where i choosed routedomain and SNAT automap. Where is my mistake? How can i force to use SNAT?