Load balanced packets don't arrive at a server when souce IP is global

Question

Hi experts, I need to fix some network issue.

Simple diagram:

[http client] ------------------ [Load Balancer] ------------------ [http server]

The LB exposes global IP on internet side (external-subnet) and receives http requests from the client.

The LB establishes different connection between the http server and requests http content on behalf of the client.

The LB has a NIC with private IP for communicating server-side connection.

The LB can be configured to use either the private IP or client IP for the source IP for the server-side connections.

When I use the private IP for source IP, TCP and HTTP packets are successfully arrived at the http server and the client can get response.

However, when I use the client IP(global IP) for the source IP at the server-side, packets aren't arrived at the http server.

Packet capture on the server-side LB NIC shows that the first SYN packet from client global IP to the http server was sent but the packet wasn't arrived at the http server (I took a capture on http server too).

First I thought the network security group for internal NICs is dropping the packet from global, but there is a rule that allows port 80 request from ANY source IP.

An odd thing is the emitted packet from LB disappears between the http server.

Could other components other than the NSG be the reason of this loss?

Answer 1

Hello @R May ,

You were testing the F5 BIG-IP Load balancer on Azure and were facing some issues with packet drops. The load balancer has a NIC with private IP, but it can be configured to use either the private IP or client IP for the source IP for the server-side connections. When you were using the private IP for source IP, TCP and HTTP packets were successfully arriving at the server and the client was getting a response. However, when you tried using the client IP (global IP) for the source IP at the server-side, packets weren't arriving at the server.

You found it to be an Azure configuration issue and were able to resolve it.

You needed to enable the "IP forwarding" option for the internal NIC and setup UDR directing default to the load balancer's internal IP.

Thank you for sharing the resolution.

Since the F5 BIG-IP Load balancer is deployed as a Virtual machine instance in Azure which has a NIC with private IP and is responsible for forwarding network traffic to an address other than its own, the IP forwarding option must be enabled.

I checked the Multi-NIC F5 BIG-IP deployment in Azure Vnet document and looks like it has IP forwarding mentioned but only in the Azure CLI commands. So, this setting may have been missed in your initial deployment.

Refer: https://clouddocs.f5.com/cloud/public/v1/azure/Azure_multiNIC.html#create-additional-network-interfaces

IP forwarding enables a NIC attached to a VM to:

• Receive network traffic not destined for any of the IP addresses assigned in any of the NIC's IP configurations.
• Send network traffic with a different source IP address than is assigned in any of the NIC's IP configurations.

You must enable IP forwarding for every NIC attached to the VM that needs to forward traffic. A VM can forward traffic whether it has multiple NICs or a single NIC attached to it.

IP forwarding is typically used with user-defined routes.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#enable-or-disable-ip-forwarding

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined

Kindly let us know if you need further assistance on this issue.

---

Please don’t forget to close the thread by clicking "Accept the answer", as this can be beneficial to other community members.