I ran a capture for a customer who has a server farm sitting behind an F5 load balancer. Based on my position in the network, I captured all traffic to/from the VIP but am unable to find a way to see the actual IP of the server in the farm that sent any particular packet. I'm not sure it's possible from a capture, but we did see a lot of TCP window full messages from the VIP, so I'm trying to see if it is the F5 sending the window full message, or if there's a way to see which server is sending it. asked 18 Nov '15, 14:27  fnngswk |
One Answer:
it depends :-) In general it is hard to identify a node behind a loadbalancer, especially if the loadbalancer terminates the connection, meaning it is using a TCP proxy and/or any other proxy (HTTP, SMTP, etc.). But, sometimes even then the real servers reveal themselves by using their name in HTTP headers or individual timestamps in the protocols (combined with a time glitch on the real servers) etc. In your case, it depends on the F5 configuration. If it's 'pure' TCP balancing, without any advanced TCP features enabled on the loadbalancer it's going to be hard to tell which node it is. The best you can do is to caputre on the F5 itself on the external and internal interface in parallel. By comparing the two capture files, you should be able to match an external connection to an internal one. Regards answered 19 Nov '15, 03:55  Kurt Knochner ♦ edited 19 Nov '15, 03:57 |
