Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

cs-server-addr & ss-server-addr are same !

Hi everyone !

when I'm viewing the connections on my LTM it shows both cs-server-addr & ss-server-addr as same IP i.e VIP , we are using route domains and these connections are for VPN traffic i.e we are using F5 to loadbalance DMVPN HUB traffic.

please let me know how i can show which connections are going to backend pool members ? and why its showing like this?

sorry i have mask the IP's but it's showing the same IP's for me

211.x.x.x%7000:any 198.x.x.x%7000:any 211.x.x.x%7000:any 198.x.x.x%7000:any esp 1 (tmm: 0) none

211.x.x.x%7000:500 198.x.x.x%7000:500 211.x.x.x%7000:500 198.x.x.x%7000:500 udp 795 (tmm: 1) none

Thank You

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Find the below details, which will help to dril down the output.

  CS is Client Side (Client --> F5)
  SS is Server Side (F5 --> Server)

  cs-client-addr - Client IP
  cs-server-addr - VS IP (VIP)

  ss-client-addr - SNAT IP or Client IP i.e. cs-client-addr
  ss-server-addr - Server IP address
0
Comments on this Answer
Comment made 3 months ago by murali 255

ss-server-addr is showing the same IP i'e VIP in this case for me

0
Comment made 3 months ago by murali 255

something like this

211.x.x.x%7000:any 198.1.1.1%7000:any 211.x.x.x%7000:any 198.1.1.1%7000:any esp 1 (tmm: 0) none

0
Comment made 3 months ago by f5_rock 2639

Are you using any NAT on VIP.. ?

0
Comment made 3 months ago by murali 255

No we are not using any NAT so the client IP is same that i understood but why the server IP is showing same on both sides , we are using route domains.

0
Comment made 3 months ago by f5_rock 2639

Not sure in Routing domain.. Is it possible to capture packet?

0
Comment made 3 months ago by murali 255

this is working fine but it only displays like this , we are also using the fastl4 profile. not sure why it shows like this , if i'm doing a debug it is only showing esp traffic betweeen client IP and the VIP

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

if this connection matches a virtual server with parameter "Translate destination" unchecked, the BigIP route traffic to the destination with the same destination address as the client side destination.

this is the expected behavior for Forwarding IP virtual servers.

0
Comments on this Answer
Comment made 3 months ago by murali 255

This is not a forwarding virtual server , its standard VIP with fastl4 profile attached to it in the routed-domain.

I have seen this kind of output in other posts as well and also F5 articles so is this something related to the route domains ? or this is a bug ?

example post:

https://devcentral.f5.com/questions/show-sys-connection-in-ipv4-format

F5 KB article:

https://support.f5.com/csp/article/K16561

If you see in both cases the output of show sys conn is displaying the cs-client-addr & ss-server-addr as same

0
Comment made 3 months ago by Stanislas Piron 8594

Can you post here the virtual server configuration?

tmsh list ltm virtual *vsname*
0
Comment made 3 months ago by murali 255

ltm virtual vs_dmvpn_isakmp {

destination 198.x.x.x%3000:isakmp
ip-protocol udp
mask 255.255.255.255
mirror enabled
partition OUTSIDE_PROD
persist {
    profile_dmvpn_persist {
        default yes
    }
}
pool pool_dmvpn
profiles {
    profile_dmvpn_fL4 { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
    /Common/vl_307_outside
}
vlans-enabled
vs-index 6

}

0
Comment made 3 months ago by Stanislas Piron 8594

This is exactly what I explained (I said "Translate destination" instead of "Translate address" ;-) ):

translate-address disabled

with this configuration, the client side and server side destination is unchanged.

0
Comment made 3 months ago by Stanislas Piron 8594

And this is like a forwarding VS, but to enable gateway pool assignment, we need to create a performance L4 VS with translate-address disabled.

0
Comment made 3 months ago by murali 255

we have a pool attached to this VS and in the statistics its showing traffic is being load balanced between how this is a Forwarding VS if its of type standard VS? i'm confused

0
Comment made 3 months ago by Stanislas Piron 8594

virtual server type is only to display configuration options.

there is no parameter in virtual server to define Forwarding, Performance, Standard... types.

a forwarding VS is a virtual server with:

  • translate-address disabled
  • profile fastl4 (or child of fastl4)
  • no pool option available

you can convert a standard VS to Forwarding L7 (this type doesn't exists) by unchecking translate address option.

This is how we configure outgoing FTP VS in Link Controller.

0
Comment made 3 months ago by murali 255

Thank you for the comment ! i'm trying to understand why would a forwarding VS need pool?

0
Comment made 3 months ago by Stanislas Piron 8594

Thé pool in a forwarding vs is used as gateway pool!

It allow to manage policy based routing!

1
Comment made 3 months ago by murali 255

Got it !! Thanks a lot

0