Forum Discussion
ltp_55848
Jul 05, 2011Nimbostratus
Hi Bhattman,
I see how this would work, but it is not going to work for my configuration as I am not NATing/SNATing incoming client requests to the VIP's.
In my configuration, the client request will be passed through to the backend nodes with the real client IP address intact - PBR routes the response back via the F5's whom are then able to SNAT the response to the VIP address. Having an access list that excludes traffic originating from the backend nodes to the client network (ip access-list TEST_deny \n 10 permit tcp 10.4.0.0/16 10.2.0.0/16) will have the effect of never forcing return traffic back via the F5's.
I should reiterate that I can see the reply traffic from a client request directly to a backend node hitting the F5's and it appears to be matched by the wildcard virtual server - it appears that the F5's then attempt to route the response using the default gateway on that network, which matches the PBR rules and redirects it back to the F5's resulting in a loop (I see the same sequence numbers in the packet dump) until the packets are eventually dropped.