F5 not routiing traffic through floating IP

Use SNAT with a combination of a HTTP profile and select Insert X-Forwarded-For option it will insert client ip address into the header and hence your server can identify client-ip

Hi,

I am not sure if I understand your traffic flow:

When user is accessing the server directly , requests comes into firewall and firewall passing it to the server , when server responding back the traffic is going through F5.

Do you mean that SYN packet from the user is going directly to the server and then SYN, ACK from the server is going not directly to user but via F5?

So it would be a bit different that flow you provided, from description it looks for me like that:

ACK packet: (192.168.x.x) user -> FW -> Server

SYN, ACK packet: Server -> F5(VIP) -> FW -> (192.168.x.x) user

What is the reason for asymmetric routing here? Why not send all traffic via F5?

If this is the case, then tcpdump on F5 is showing correct results.

For such flow SNAT would not change client IP because F5 is processing only traffic returning from server not traffic coming from client to server.

If you say followed by a RST from src to the server what do you mean by src - IP of the client that originally send ACK packet?

If so then for some reason client is not accepting SYN, ACK from server - best way is to capture traffic on the client to see why. That will as well prove who is sending RST - client or F5 or maybe FW? For flow like that there is change in MAC address that could cause FW to drop packet:

ACK packet will have src MAC: FW NIC, dst MAC server NIC

SYN, ACK packet (when received by FW) will have: src MAC F5 interface (instead of server NIC), dst MAC FW NIC

Could be that your VS config is wrong, as already mentioned could you post VS config:

tmsh list ltm virtual 

Could you post your fastL4 profile listing

tmsh list ltm profile fastl4 

Piotr

SYN packet from the user is going directly to the server and then SYN, ACK from the server is going not directly to user but via F5. This is what we are observing on the captures from f5.

If i need to fix this issue how can i do this.

For such flow SNAT would not change client IP because F5 is processing only traffic returning from server not traffic coming from client to server.

The above flow applies when user tried to access the server directly .But when they access the vip , request is coming into the F5 and from pool we never see any response back to the client . For request processing on f5 if i use SNAT , client IP will not be passed to the server .

Hard to say, depending what is your target solution.

If you would like to have client ACK and server SYN, ACK to be passed via F5 then you need to modify configuration of your FW.

As far as I understand it's FW that is sending client ACK directly to server. Instead of this it should send it to external Self IP of your F5 (one via which F5 can reach FW - if your VS is ForwardingIP type) or to VS IP (if your VS is PerformanceL4 type - in this case you will have to change Destination IP of VS to be in the same subnet as FW). Then all traffic between client and server will be processed by F5.

So flow should be like that:

ACK: client -> FW -> F5 192.168.x.x Self IP -> server

SYN, ACK: server -> F5 self IP in subnet used by server -> FW -> client - this one is already working

Of course for that to work your VS has to be configured to be enabled on F5 VLAN via which F5 is accessing FW.

For such configuration you don't need Loose Initiation/Close and you can as well use Standard type VS with Pool containing your SMTP server.

Or you can keep using current fastL4 VS (don't know if it's PerformanceL4 or Forwarding type).

Piotr

This is my vs config . I have the Servers , F5 in the same subnet and the have static route on the F5 for all 192.x.x.x network --- DFG to be the firewall

ltm virtual /Common/smtp_vip { description smtp destination /Common/192.10.1.20:25 ip-protocol tcp mask 255.255.255.255 pool /Common/smtp_pool profiles { /Common/tcp { } } rules { /Common/smtp_irule } source 0.0.0.0/0 translate-address enabled translate-port disabled

ltm profile fastl4 /Common/forwading_fastl4 { app-service none defaults-from /Common/fastL4 hardware-syn-cookie enabled idle-timeout 300 ip-tos-to-client pass-through ip-tos-to-server pass-through keep-alive-interval disabled late-binding disabled link-qos-to-client pass-through link-qos-to-server pass-through loose-close enabled loose-initialization enabled mss-override 0 pva-dynamic-client-packets 1 pva-dynamic-server-packets 0 pva-offload-dynamic enabled reassemble-fragments disabled reset-on-timeout enabled rtt-from-client disabled rtt-from-server disabled server-sack disabled server-timestamp disabled software-syn-cookie disabled syn-cookie-whitelist disabled tcp-close-timeout 5 tcp-generate-isn disabled tcp-handshake-timeout 5 tcp-strip-sack disabled tcp-timestamp-mode preserve tcp-wscale-mode preserve }

ltm rule /Common/smtp_irule { when LB_SELECTED {

if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {

  snat automap 

} } } ltm pool /Common/smtp_pool { description p1 members { /Common/p1:0 { address 192.10.1.25 } /Common/p2:0 { address 192.10.1.25 session user-disabled } } monitor /Common/SMTP-DLP