Forum Discussion

Coso_17543's avatar
Coso_17543
Icon for Nimbostratus rankNimbostratus
Mar 14, 2011

BigIp source addresses

hi all,

 

 

I don't know if this is an easy question but it's a bit urgent for me.

 

 

We need to balance 2 servers under a VIP for some services, telnet and FTP included.

 

 

The pool was correctly created as standard (we manage a lot of pools) but the users have a problem. After that just only one user tried too many times to login with a wrong user/pass, the nodes block the access from him. After that, nobody can't login because the source address for those 2 servers are not the real of users but the BIGIP..

 

 

 

I remeber something that this issue doesn't happen on some pool because being http users ip address is incapsulated in the packet and checking it, servers can know who is the real source. But how can avoid this in a normal telnet or FTP session?

 

 

There is a setting or an iRule to make a transparent balacing in BigIp so that servers can receive users as sources and not BigIP nat?

 

 

Thanks you
application delivery
dev
devops
iRules

12 Replies

Sort By
Show More
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2011
    If the destination (application servers / pool member servers) are configured on a subnet "owned" by the BigIP's then you can disable SNAT. Ownership can be defined as the F5 / BigIP being the default gateway for the Subnet (making it the default gateway for the server through subnet ownership).

     

     

    If SNAT Automap is disabled then the destination servers will recieve the Client IP Address (client IP Address in this case being the source IP Address of whatever is accessing the Virtual Server on the F5 (making the Client IP Address a relative term)). The return traffic back to the client from the server will go through the BigIP back to the client because the BigIP is its default gateway (preventing a broken network route).

     

     

    If the servers are on a different subnet not owned by the BigIP, then you will have a communication failure due to a broken route.

     

     

    The BigIP will NOT auto detect and SNAT automatically without some type of logic in an iRule.

     

     

    Does this make more sense?