It's bugged me ever since I looked at the ADF exam blueprint that there still wasn't a definitive document or diagram available that described or showed the TCP Traffic Path and Order of Operations of a packet passing through an F5. I'm aware of the BigIP Path Graph v1.7 from Red Education but that's five years old and hasn't been subject to any review. To that end I've recently started my own as you can see below.
Comments and more importantly corrections or queries are encouraged. Note as it stands I've not added many iRule events as I'd like to get the flow and order sorted first. I'm pretty sure what I've done is mostly correct but I'd love some review before I continue and finish off the server side operations. Many thanks in advance. You may need to right-click, open image/in new tab to see it full size.
New version - December 2015:
It´s greate! Well done.
thanks for the diagram. this is exactly what I was looking for.
I have a question specifically regarding after a decision has been made to send a packet to be snatted or routed. If I leave the SNAT setting on my VIP as auto-map I know that the routing and forwarding from there on uses the self-IP of the vlan that is used in the static route. If I have a SNAT Pool implemented is there a decision that is made before the traffic is sent to the routing table? I am new to SNAT Pools. any help you can provide is greatly appreciated.
I don't think there is any difference where routing is concerned. Routing is concerned with the destination, not the source so any changes in the source have no affect. Hope that helps, if not, please do post back.
Nice diagram, would it be possible to add the tcp profile client-side and server-side to the diagram please.
You are more than welcome and thanks for the flow diagrams, the main driver behind the question is that F5 exposed some tcp profile parameters via iRule in v11.6.
Hi, This is a great and very complete diagram. But I have a doubt: When a packet is processed it is first checked if an existing connection in Connection table exists, isn´t it?
And it would be great if you could add the Self IPs also to you diagram and the end of it that would be the DROP.
The standard and larger versions of the newest diagram can be found here:
Awesome, thank you for putting in the time on this!
Excellent Diagram!! Just an extra kicker here, Jason Rahm(F5 solution architect) has a video on their Whiteboard Wednesday show. Heres the link. He covers this in "Life of a Packet"
Wow great. Two remarks though:
Actually, I think in order to be 100% precise at the point where the matching VS is selected, you ought to move the "source permitted" question into the blue box that depicts the selection of the VS, right?
Receiving non-SYN packets for a connection which is not included in the connection table does not necessarily lead to the packet being dropped. There might be a fastL4 or TCP profile with loose initiation in place. But I also understand that reflecting all such possibilities in one diagram might be impossible...
First of all many thanks for this diagram which helps me a lot.
I just want to unsure that I got it right, in the new version diagram :
After the CLIENT_ACCEPTED Irule event and if there's no virtual server matching, we should also have the "Most specific match enabled on ingress" vertical box between the SNAT box and the NAT box, right?
I mean if we only have two object configured on the bigip :
One SNAT that listents for traffics comming from 10.0.0.0/8
One NAT that listents for traffics comming from 10.0.0.1/32
if the client 10.0.0.1 comes, then the NAT will precede the SNAT, right ?
Diagram is great , but can someone tell me when traffic is going to vip 443 with SSL offload and irule ...
1 it will hit vip than
2 cert will go first or irule ?
you mean if it will hit the irule before or after the SSL offloading? it doesn't work like that, there will be EVENTs within the irule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
yes i mean that .
i wanted to know for example like traffic will come to vip it will process all things and what is first what is second will it go for cert first and irule later or ...
like i said: it doesn't work like that, there will be iRule EVENTs within the iRule hit before the SSL offloading, i.e. TCP events and ones after, like HTTP events.
the image at the start of this question does exaxtly details which iRule EVENTs happen when.
Has anyone seen this Diagram for 13 code yet?
do you have a reason to assume it isn't valid for version 13.x? in principle not much changes, if you have some specific point please mention it.
Engineers looking at our issue have been leaning towards new security features in the 13 code that may be triggered along the path across the path. e.g. you have the ddos notes along this flow. I 'assume' there are newer things in the flow that the F5 Engineers were referring to.
I just wanted to say that the FLOW_INIT is triggered after packet filter. It was well represented in version 0.1 however in version 0.5 the "Packet filter on VLAN" was moved down below "AFM/TMM Processing begins" .
Could you please explain why you made such a modification ?
are you really sure Karim? logically i would say that FLOW_INIT doesnt trigger if a packet filter already has blocked the connection to start with.
this is where What Lies Beneath determined the situation i believe:
if i test this and block traffic with a packet filter i don't get a FLOW_INIT event, if i remove the packet filter i get it, tells me the diagram is ok.
We are saying the same thing: If the packet filter blocks the packet we'll not get the flow init event.
However, the diagram v0.5, the flow_init box is represented before the packet filter box. Which seems to say that whether we're blocked or not by packet filter we always get the flow init event (which I think is incorrect)
You can see that in v0.1 of the diagram, the flow_init box was set after the packet filter box, which make more sens for me.
ah now i see it, i didn't notice the two pictures. well we touched the question a few times, perhaps Steven will pop up and explain :)
anyone has a comment when it comes to NFVS vs VS? what is the precedence order for VS, NAT, SNAT, NFVS please?
also, somewhere in the documentations it is said that SNAT is preferred over NAT and somewhere else it mentions reversely that NAT is preferred over SNAT... like in this article: https://support.f5.com/csp/article/K9038
Please help clarifying the correct statement for these 2 points.