Routed VS SNAT Deployment

Does a traceroute suggest it passes through the F5? Also, have you disabled port and address translation on the VS?

do the upstream routers know that traffic for the servers needs to be sent to the BIG-IP?

Jason,

I'm assuming so since I can ping the host. I verified the ping is actually making it to the host by running tcpdump on it.

Josh

icmp can be relayed by other gateways. Do you see the tcp request in a tcpdump on the BIG-IP or just the return traffic?

When I try to SSH from an "off-net" host, from the BIG-IP:

15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0 ...

So, the BIG-IP is seeing the request.

At the same time, I have a tcpdump running on the client (172.21.101.71/fc-rodns01):

$ tcpdump host 172.26.100.223 (the IP of the server behind the BIG-IP = buildel564):

15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0 ...

So, the off-net client seems to be ACKing requests from the server behind the F5. But, I'm not seeing anything else.

Thanks,

Josh

so two syn packets to the front side, but we don't see any syn packets leaving the BIG-IP for the server (should see them with -i 0.0), so either there is not a route to the server, the vlan the traffic is arriving on is not enabled on the virtual server, or the traffic is still being snatted somehow (more specific match maybe) and evaded capture here.

Are you saying that the VLAN is not enabled on the FORWARDING VS? All VLANs are currently enabled on that VS. No SNAT is enabled, either. Guess I need to take a second look at routing. Although, I'm not really sure how to fix that.

why the second capture on the client?, the first already shows the big-ip recieves the SYN. a capture on the server would be more interesting. but as Jason says seeing how nothing leaves the big-ip probably something fails there.

also tcpdump with -nn stops resolving hostnames and ports, usually easier on the eyes.

as for the possible routing issue, how is the network behind the big-ip (where the server is located) setup? is it directly connected or behind a router?

Have you checked the server has a route back to the network you are coming from that goes via the F5? Is the server on a VLAN hosted on the F5? If not, does the F5 have a route to the server network? Is auto last hop enabled?

Oh, and use the Basic/Advanced dropdown to see all your settings.

@boneyard - You are correct.. I should have captured from the server, not the client.

The network that the server resides on is not directly connected to the BIG-IP. It is behind a router. This network is trunked to the BIG-IP via a VLAN. Auto Last Hop was set to "Default," but I have since set it to "Enabled." Even with advanced settings view, the options for translation do not appear on the Forwarding VS.

Since the network where the server resides is not directly connected to the BIG-IP, it sounds like I may need a static route for the server on the upstream router to point to the floating self-IP of the VLAN? Does this sound correct?

Josh