Forum Discussion

farhad_plasma_3's avatar
farhad_plasma_3
Icon for Nimbostratus rankNimbostratus
Jan 29, 2019

Cannot disable snat in iApps

Hi,

I have recently stuck with an issue on LTM which seems odd. When I set Source Address Translation to None in normal VIPs, client addresses get to the servers just fine but when I do the same thing for VIPs which I have created using iApp templates with the same configuration, client addresses keep getting translated to the inside interface IP of the LTM. It seems really strange to me because the procedure I take to disable the snat for both of them is the same but I get different result. I will paste the configuration of both here and I will appreciate if someone can help me about this.

===Virtual Setup : without-iapp_vs===

ltm virtual without-iapp_vs {
destination 192.168.10.60:http
ip-protocol tcp
mask 255.255.255.255
pool without-iapp_pool
profiles {
    tcp { }
}
security-log-profiles {
    "Log all requests"
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 17
}
===Pool Setup : without-iapp_pool===

ltm pool without-iapp_pool {
members {
    172.16.187.2:http {
        address 172.16.187.2
        session monitor-enabled
        state up
    }
}
monitor http-80

===Virtual Setup : with-iapp.app/with-iapp_redir_vs===

ltm virtual with-iapp.app/with-iapp_redir_vs {
app-service /Common/with-iapp.app/with-iapp
destination 192.168.10.42:http
ip-protocol tcp
mask 255.255.255.255
profiles {
    with-iapp.app/with-iapp_f5-tcp-lan {
        context serverside
    }
    with-iapp.app/with-iapp_f5-tcp-wan {
        context clientside
    }
    http { }
}
rules {
    _sys_https_redirect
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 92
}
===Pool Setup : none===

===Virtual Setup : with-iapp.app/with-iapp_vs===

ltm virtual with-iapp.app/with-iapp_vs {
app-service /Common/with-iapp.app/with-iapp
destination 192.168.10.42:https
fallback-persistence with-iapp.app/with-iapp_source-addr-persistence
fallback-persistence-type source-address
ip-protocol tcp
mask 255.255.255.255
persist {
    with-iapp.app/with-iapp_cookie-persistence {
        default yes
    }
}
policies {
    with-iapp.app/with-iapp_policy { }
}
pool with-iapp.app/with-iapp_pool
profiles {
    with-iapp.app/ASM_with-iapp_policy { }
    with-iapp.app/with-iapp_client-ssl {
        context clientside
    }
    with-iapp.app/with-iapp_f5-tcp-lan {
        context serverside
    }
    with-iapp.app/with-iapp_f5-tcp-wan {
        context clientside
    }
    with-iapp.app/with-iapp_http { }
    with-iapp.app/with-iapp_oneconnect { }
    with-iapp.app/with-iapp_optimized-caching { }
    with-iapp.app/with-iapp_server-ssl {
        context serverside
    }
    with-iapp.app/with-iapp_wan-optimized-compression { }
    websecurity { }
}
security-log-profiles {
    "Log illegal requests"
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 93
}
===Pool Setup : with-iapp.app/with-iapp_pool===

ltm pool with-iapp.app/with-iapp_pool {
allow-snat no
app-service /Common/with-iapp.app/with-iapp
load-balancing-mode least-connections-member
members {
    172.16.37.27:https {
        address 172.16.37.27
        app-service /Common/with-iapp.app/with-iapp
        session monitor-enabled
        state up
    }
}
monitor https_443 
slow-ramp-time 300

2 Replies

  • Ensure that you have turned off strict updates so that this change is actually going through. More info on that here

     

  • I closed the case, unfortunately we were not able to continue with the analysis, because of the incident they deactivated the environment with APM. We´re returning now and reconnects continue to occur less frequently.