Forum Discussion

fxt_31120's avatar
fxt_31120
Icon for Nimbostratus rankNimbostratus
May 06, 2013

Get the source_addr ip with vs type in layer 4

Hello,

 

 

I have a virtual server in a performance layer 4 with a persistence profile in source_addr.

 

My goal is to send the client IP address to the member but I don't know how I can do that with a performance layer 4.

 

I just want to know if it is possible to get twith an irule this source_addr ?

 

Or any idea about it?

 

 

If you want further information:

 

the member is a citrix access gateway and it only works with layer 4 (don't know why), we have access to the web interface but unable to launch citrix apps if I use a standard VS.

 

 

Thank you for your help.

 

 

Best regards,

 

FX

 

 

application delivery
dev
devops
iRules

8 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 07, 2013
    Sorry but it's not clear to me, you want to pass the source IP address to the CAG somehow? In what form? Is this because you are SNATting?
  • fxt_31120's avatar
    fxt_31120
    Icon for Nimbostratus rankNimbostratus
    May 13, 2013
    Hello,

     

     

    Yes I do a Snat . Do you want to the VS config ?

     

    It might be easier ?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 13, 2013
    It's OK. Whilst it's possible to pass the original source IP address is the TCP headers I doubt you'll be able to configure the CAG to read the data. I don't see how this is possible at L4 I'm afraid.

     

     

    It the SNAT absolutely necessary?
  • fxt_31120's avatar
    fxt_31120
    Icon for Nimbostratus rankNimbostratus
    May 13, 2013
    I don't think the Snat is absolutely necessary. The architecture is a VS with a public ip address and a member with a private IP address.

     

     

    If there is another solution I can test it.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 13, 2013
    As long as you are sure the CAG (and any intervening routers etc.) will route back to the client IP addresses via the F5 then I'd suggest you setup a test VS without the SNAT using another IP (or port if addresses are short) and if that works, plan the same change on the live VS.

     

     

    A traceroute from the CAG to any likely client IP address may help you determine the return routing path.
  • fxt_31120's avatar
    fxt_31120
    Icon for Nimbostratus rankNimbostratus
    May 14, 2013
    Hello,

    I am not sure I can do that.

    But Good News ! The virtual server is working on a Standard type. I just put the HTTP profile to "none".

    It might be easier right now to help me.

    VS config :

    type Standard

    Member listen on 443 

    virtual test-accessgateway {
   snatpool snat-DMZ_private
   pool pool-test-accessgateway
   destination 1.1.1.1:https
   ip protocol tcp
   persist source_addr
   profiles {
      profile_wildcard.toto.com {
         clientside
      }
      serverssl {
         serverside
      }
      tcp {}
   }
   vlans DMZ_public enable
}
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 14, 2013
    That doesn't really help I'm afraid unless you can apply the HTTP profile which will then allow you to add a XFF header via the profile or an iRule.