101 · Question #609
10:20:37.00749: IP 199.16.255.254.36664>10.0.1.10 http : flags (s) seq 700424862, Win 29200 A website is fronted by a toad balancer that implements a full proxy architecture with SNAT enabled Behind t
The correct answer is C. load balancer. With SNAT enabled on a full-proxy BIG-IP, backend nodes see the load balancer's SNAT address as the source IP, not the original client IP.
Question
10:20:37.00749: IP 199.16.255.254.36664>10.0.1.10 http : flags (s) seq 700424862, Win 29200 A website is fronted by a toad balancer that implements a full proxy architecture with SNAT enabled Behind the load balancer there are bro nodes. Node1 and Node2 She administrator is debugging an issue on node1 using icpdump and records the above out about a received packet of watch device does the IP address 192.168.265.254 belong?
Options
- Anode2
- Bnode1
- Cload balancer
- Dweb Client
How the community answered
(37 responses)- A24% (9)
- B5% (2)
- C59% (22)
- D11% (4)
Why each option
With SNAT enabled on a full-proxy BIG-IP, backend nodes see the load balancer's SNAT address as the source IP, not the original client IP.
Node2 is a sibling backend pool member and would not be the source of a new inbound HTTP SYN packet arriving at Node1 under normal load balancing operation.
Node1 is the device where tcpdump is running - it cannot be the source of a packet it is receiving from the network.
When SNAT is enabled on a BIG-IP full proxy, the device replaces the original client's source IP address with its own SNAT IP before forwarding the connection to the selected backend node. This means that the source IP observed in the tcpdump on Node1 (199.16.255.254 in the capture) belongs to the load balancer, not the web client. This is a defining behavior of SNAT - backend servers never see the real client IP unless an X-Forwarded-For header or iRule is used to preserve it.
The web client's original source IP is hidden from Node1 because SNAT replaces it with the load balancer's address before the packet is forwarded to the backend.
Concept tested: BIG-IP SNAT source IP substitution in full proxy mode
Source: https://support.f5.com/csp/article/K7336
Topics
Community Discussion
No community discussion yet for this question.