TCP-proxy Client-IP

In a common setup:

slb server PROXY1 <some_private_ip>
  stuff
slb server PROXY2 <other_private_ip>
   stuff
slb service-group MY_Proxy
   member PROXY1 <port/s>
   member PROXY2 <port/s>
slb virtual-server MYVIP <some_public_ip>
   port <port/s> TCP
      service-group MY_PROXY

Client connects to <some_public_ip>, and the ADC does the NAT (Destination NAT, rather than SourceNAT) to the private IPs inside/behind the ACOS device. So on the outside, you route to the public_IP, and on the inside, you set the ADC as the default gateway of the inside hosts. For most topologies in use today (L3 Routed w/o SNAT, L3 Routed w/ SNAT, and L2 One Arm Mode), ACOS is doing DNAT.

Yes,I have totally the same configuration as you described.But traffic didn’t route from <some_public_ip> to some_private_network until I enable Soutce-NAT configuration.That’s my problem now.I have also two interfaces in my ADC, one with Public IP and another one with Private IP.Can you suggest some ideas ?

To understand what is going on, we need to have the interface configuration information from both the proxy and the A10 and the routing table on both.

Configuration on the server where Envoy proxy is installed:
2 interfaces - public - ip network 212.32.x.x and private - ip network 10.201.0.x.
routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0         212.32.x.x  0.0.0.0         UG    0      0        0 eth4
10.0.0.0        0.0.0.0         255.128.0.0     U     0      0        0 br-bdfaffd0acf2
10.201.0.0      0.0.0.0         255.255.252.0   U     0      0        0 eth5
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
212.32.252.64   0.0.0.0         255.255.255.192 U     0      0        0 eth4

Configuration on the ADC side:
2 interfaces - ethernet1 and ethernet2

ethernet1 - 212.32.x.x/27 - public interface with static ip which I use to access ADC web ui
ethernet2 - 10.201.0.250/22 private interface to communicate with private network.

Routing map on ADC:

0.0.0.0	0.0.0.0	212.32.252.158	ethernet 1 Static
212.32.252.128	255.255.255.224	0.0.0.0	ethernet 1 Connected

ADC was setuped in gateway mode.
VRRP-A isn’t used.
What else information do you need ?

If this route on the Envoy: 0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4 Points towards the IP address of the A10 ADC then it should work. Unless something on your network is doing Proxy-ARP As the A10 does not have interfaces in the private IP range, you need to point the:

slb server PROXY1 <some_private_ip>
  stuff
slb server PROXY2 <other_private_ip>
   stuff

Towards the public IP of the Envoy servers. Best is to do a packet trace on both the Envoy as well as on the A10 so you can exactly follow what is happening.

0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4

No this route isn't to ADC, it is to some device from our hoster,I'm now trying to get information from our hoster about what is it.So I assume this is our global issue.

Change the default gateway on the server with Envoy to A10 IP.Now I don’t know how to setup A10 in transparent mode,can you help ?

You do not need to set the A10 into transparent mode.
I’m afraid this is not something that can easily be fixed using the forum.

Somebody needs to have a look at the total setup suggest how all devices should be configured.

I strongly suggest you to contact an A10 account team in your region so they can discuss the options to solve this.

You can find local contact details here: https://www.a10networks.com/company/contact-us

Do you know if AX1030 ADC use HA Porxy PROXY protocol to send client IP trough TCP ?
I mean option Insert Client IP in Config Mode > SLB > Template > TCP Proxy.

Unfortunately, no, the A10 does not support the HA Proxy PROXY Protocol.

It could possibly be build in aFlex, but then requires the port type HTTP.

The option Client IP in the template TCP Proxy, uses the TCP Options. https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml