We are configuring the GTM to be working as a proxy. So, in case there is no Wide IP is being matched by the DNS query it should forward the DNS query to a local pool of DNS Servers. I have configured the local pool of dns servers and associated it under the listener as the as the default pool. However, the requests are coming to the listener but maybe not forwarded to the DNS servers. I can see from statistics on GTM that there are IN packets coming to listener and Pool but there are no OUT packets.
Any idea why is this happening ?!
I have verified the connectivity between listener and DNS servers and they are on the same subnet.
I supose that you set a DNS profile.
Can you validate that in this DNS profile you set the setting "Unhandled Query Actions" to "allow":
Allow: The BIG-IP system forwards queries to a DNS server or pool member. If a pool is not associated with a listener and the Use BIND Server on BIG-IP setting is set to Enabled, requests are forwarded to the local BIND server.
It's already set on "Allow".
As you see here, requests are coming to Listener but apparently not forwarded to the DNS Servers although there are in the same subnet as the listener.
If request are not comming out, it's means that the request was manage by other option, you can see Overview of DNS query processing on BIG-IP systems:
It is possible to send us your DNS profile configuration (screenshoot).
You don't use DNS Bind? if yes can you disable "Use BIND Server on BIG-IP".
everything is disabled except for these 3 options : GSLB, Unhandled Query Actions, Process Recursion Desired
could be a asymetric routing issue?
Depending on your network configuration you may have to enable snat automap on the VS to allow the DNS server to route packets back to your F5.
If this does not work out, then make sure the DNS server is receiving the DNS request (e.g pcap on your DNS servers)
Listener and DNS servers are in the same subnet. I don't have permission to do this packet capture on DNS server as it's in production and no wireshark on this server.
The snat automap is required to hide the original source address of the DNS client. If snat automap is disabled, the DNS server will see the original client IP address as originator of the DNS request, an will start to respond directly to them. This will only work if the default gateway of your DNS Server is pointing to your F5 and if the DNS client is not on the same subnet as the DNS server. In any other cases you have to enable snat automap...
As I already said, if this change does not work out you have to find a way to capture the traffic on your DNS server side (e.g. either pcap on the host directly or create a SPAN/Mirror Port on your switches). If both solution are not possible, you will be more or less in a death end...