Re: [load balancing] F5 Big-Ip Load Balancer

From: <Vince.Power [izzat]>
Date: Mon May 14 2007 - 12:28:11 EDT

We use lots of "one-arm configurations" around here, which have our
BIG-IP's and Radware devices just hanging off of a switch like any other
We have learned that we need to enable SNAT on the virtual server to have
that all traffic is routed back out through the VIP. SNAT is an advanced
config option on the virtual server edit screen in the Web Interface.

Here is a basic configuration that you can use as a base for your set-up,
it should work (the IPs will need to be updated)

node {
   screen server1
node {
   screen server2
node {
   screen server3
pool web-app {
   monitor all http
virtual web-app {
   snat automap
   ip protocol tcp
   profile http
   pool web-app


             "Wesley North"
             com> To
             Sent by: "Load Balancing Mailing List"
             lb-l-bounces@vega <>
             05/14/2007 12:52 Re: [load balancing] F5 Big-Ip Load
             PM Balancer
             Please respond to
              Load Balancing
               Mailing List

So the SNAT would be set on the servers in the pool, it would be another IP
address on the same VLAN so that the servers when they initiate a request
(egress) they are sourced as a different IP address. Now in this scenario,
I am not 100% sure the SNAT will solve anything, and come to think of it,
you aren't dealing with VIP bounce back, because the clients are not on the
same VLAN correct?

I know this is somewhat silly to ask, but do you have any health checks
hitting the pool? If so, are the nodes up or down? The VIP will stop
responding to network traffic if the default pool, or whatever pool is
referenced, say in an iRule, are no longer available, whether they are
disabled or the health check (ECV) have stopped working. Check that
setting. Given that the VIP and servers are on the same VLAN, the last hop
pool and/or SNAT, may not solve anything, and probably won't since you
don't have a routing issue. What's going on, it appears, is that your VIP
is disabled because the members in the pool are not active.

Let me know what you find.


On 5/14/07, Andrew Espinosa <> wrote:
  Thank you for your reply. You are correct in that I do have the VIP and
  the servers to be load balanced on the same subnet. Could you give me
  some direction on creating the SNAT or last hop pool? I'm very new to
  configuring load balancers or at least the F5 one. I do see the option
  for last hop pool on the virtual server and the options it gives me is
  the name of my pool. On the SNAT I wasn't sure what IP information I
  should enter as well.

  We have only a single F5.

  I can't telnet to the virtual IP but I'm able to reach the self-ip. When
  I run ARP from the console window the only entries I show are for my
  servers. I'll dig a little deeper on the switch to see if I can find
  anything there. I was able to ping the virtual server IP at one time but
  I deleted it and recreate it with a new name and ever since I've been
  unable to ping it.

  Thanks again for your reply.

  Andrew Espinosa, MCSE / MCSA
  Systems Engineer

  From: [] On Behalf Of
  Wesley North
  Sent: May 11, 2007 7:17 PM
  To: Load Balancing Mailing List
  Subject: Re: [load balancing] F5 Big-Ip Load Balancer

  First off it sounds like you are dealing with a VIP bounce back scenario,
  where both the servers and VIP reside on the same network. You should
  look at putting a SNAT on the servers, or possibly setting up a last hop
  pool on the VIP. This way the traffic flow will be correct and you won't
  have any routing loops. Can you access the port of the VIP ( e.g. telnet
  to the socket)?

  What is odd is that you can't ping the VIP but can ping the self-ip, do
  you have 2 bigip's in a primary standby configuration? Or just a single

  If you can't ping the VIP, I would verify what the arp tables look like
  on the F5 and your network gear, perhaps there is some MAC address


  On 5/11/07, Andrew Espinosa <> wrote:

  Hi all,

  I found this list via a google search and I 'm hoping someone can help
  me. I recently inherited an F5 Big-IP LTM v 9.1.2 load ba lancer and am
  attempting to do a simple configuration, or so I think.

  I have 3 servers on a DMZ attached to a switch and I also have the F5
  attached to the same switch. All devices are on the same subnet,
  192.168.199.x / 24.

  I created a VLAN and gave it a self-ip address in the subnet range list
  above ; created a virtual server with a different IP but on the same
  subnet; created a pool and added the nodes to be load balanced. The
  router handles the NA T' ing of the public IP which maps to the IP
  address I assigned the virtual server.

  I can ping the Self-IP I gave the VLAN as well as all the nodes but
  cannot ping the virtual server IP.

  Additionally I set the default gateway on the DMZ servers to the self-Ip
  assigned to the VLAN.

  I may have it all screwed up as I am very new to hardware load balancing.
  Can anyone give me some pointers as to what I should look at or maybe
  configure differently ?


  Andrew Espinosa, MCSE / MCSA
  Systems Engineer

  lb-l mailing list
  Searchable Archive: Load Balancing Digest

  lb-l mailing list
  Searchable Archive: Load Balancing Digest
lb-l mailing list
Searchable Archive: Load Balancing Digest

- ---------------------------------------------------------------------
This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal, and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply. Thank you.

La présente communication, y compris toute pièce qui y a été jointe, est destinée uniquement à la personne ou à l’entité à laquelle elle a été adressée, et contient des renseignements à caractère confidentiel et personnel. Toute diffusion ou reproduction non autorisée ou toute intervention entreprise relativement à son contenu est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous le signaler immédiatement afin que nous puissions effectuer la correction à nos dossiers. Veuillez par la suite supprimer ou détruire le contenu de la transmission originale ainsi que toute réponse ultérieure. Merci.
- ---------------------------------------------------------------------

lb-l mailing list
Searchable Archive: Load Balancing Digest
Received on Mon May 14 12:28:39 2007

This archive was generated by hypermail 2.1.8 : Mon May 14 2007 - 12:28:39 EDT