Cloned traffic incomplete when forwarding to another virtual?

Question

Hi 
I am trying to copy traffic to packet capture device using a clone pool. The setup is as follows:
I have an external VIP that terminates SSL traffic on the client side, forwards the traffic to an internal VIP that re-encrypts traffic to the backend server. Forwarding of traffic is done via an irule:
when CLIENT_ACCEPTED {
    virtual internal-vip
}

When I configure server side cloning on the external VIP I get incomplete traffic on the capture device. When I check a packet capture with wireshark it complains for every request: 'TCP Previous segment not captured'.

Note that cloning works fine if I a replace the trafic forwarding to another virtual by a normal pool.
Any thoughts on what may cause this behavior?
Winston

sirwinston · Answer

Thanks for the effort you put into this!! I really appreciate it.&nbsp;
I cannot work on this today but will compare this with my setup tomorrow. &nbsp;

sirwinston · Answer

@nitass&nbsp;
Your config was not significantly different from mine. Even making it identical did not produce different results, initially .....&nbsp;
However, when we made a tcpdump on the big-ip instead of on the clone pool member things looked very different (better). Originally, I was running the tcpdump within a Docker container on a linux host. It seems that this was causing the issue. Running the tcpdump on a plain linux clone pool member also give good result (but no extensive testing yet).&nbsp;
I am still confused about the reason behind these different results but it seems that my initial question was caused by wrong measurement and not by a non-working setup. I'll do some additional testing in the coming weeks an will update this thread with the results.&nbsp;
Thanks again for your effort.&nbsp;

sirwinston · Answer

After testing with tcpdump on a brand new VM and not using Docker it seems that things are working fine. Marking this issue as answered. &nbsp;

Forum Discussion

Cloned traffic incomplete when forwarding to another virtual?

3 Replies

Recent Discussions

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Quick Optimizations for F5 BIG-IP Virtual Edition

SMTP Traffic Forward to M365 on Port 587

Check a Virtual Server's SSL Status