BigIP and IronPort

Question

When you snad IronPort from BigIP it can't read the return IP. If you don't snad, IronPort returns to the senders IP. Any solutions to load balancing IronPort with BigIP?
&nbsp;Larry

deb_allen_18 · Answer

When you say "It can't read the return IP", do you mean the client IP is replaced with the SNAT address?&nbsp;
&nbsp;The best way around that would be to disable SNAT and change the default gateway on the IronPort boxes to the LTM floating selfIP address on the same vlan.&nbsp;
&nbsp;If that wasn't what you were after, post again.&nbsp;
&nbsp;/deb

juan_baptiste_4 · Answer

Posted By deb  on  08/14/2007 6:03 PM  
&nbsp; When you say "It can't read the return IP", do you mean the client IP is replaced with the SNAT address?  
&nbsp; The best way around that would be to disable SNAT and change the default gateway on the IronPort boxes to the LTM floating selfIP address on the same vlan.  
&nbsp; If that wasn't what you were after, post again.  
&nbsp; /deb&nbsp;  
&nbsp; Hi,  
&nbsp; Sorry to revive an old thread but I'm having the exact same issue. My setup is the following:  
&nbsp; A Virtual Server that balances to two IronPorts (just one enabled for testing). The clients,LTM, IronPort and firewall (the gateway) are all connected to the same switch so IronPort will try to answer directly to clients. Using SNAT works but we can't use it as we wouldn't be able to get statistics, use restrictions, etc on the IronPort if all traffic comes from the same IP address of the LTM. So I changed the default gateway of the IronPort (instead of the firewall) to the self ip of one of the LTM (we are still on the lab so we haven't enabled HA yet) but it doesn't work either. Doing a capture on the LTM on both vlans I only see return packets from the IronPort to the clients on the vlan where the IronPort is connected but none on the other vlan where the clients are connected. The LTM has a default gateway set to the firewall IP and the LTM has no restrictions to connect to the Internet.  
&nbsp; Do I need to configure something special on the LTM to enable it to work as a gateway ? setting up a Forwarding VS with no port didn't work either.

juan_baptiste_4 · Answer

An additional info, the firewall, IronPort and clients are all on the same vlan of the LTM, forget the part about not seeing packets on the other vlan as that one is used for something else.

hooleylist · Answer

If the client and pool member are on the same subnet you have to either use SNAT to ensure the server doesn't respond directly back to the client or configure the server to respond back directly to the client using the VIP address (the one the client made the request to).  This second option is referred to as nPath in the F5 world.  Here is a link to the Solution Guide for 9.4.3+: 
&nbsp;  
&nbsp; Configuring nPath Routing  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_sol_guide_943/sol_npath.html  
&nbsp;  
&nbsp; Aaron

Forum Discussion

BigIP and IronPort

4 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Re: BigIP Report

BigIP Report Old

F5 BIGIP WAF AND F5 DNS

Securing APIs with BigIP

Integrating the F5 BIGIP with Azure Sentinel