Re: [load balancing] F5 configuration help is needed

From: Chris Miller <CMiller [izzat] directs.com>
Date: Mon Sep 21 2009 - 12:45:14 EDT

Eric,

That's a typical situation with Load Balancing. Radware calls it ClientNAT and F5 uses SNAT. The issue occurs if you have a VS with IP like 10.10.20.1 load balancing servers at 10.10.10.1 and 10.10.10.2 and server 10.10.10.3 wants to access it. 10.10.10.3 will send a SYN Packet to 10.10.20.1. The LTM will send that to server 10.10.10.1. Now, because 10.10.10.1 sees 10.10.10.3 as the source IP and knows it's in the same subnet, it responds without going through the LTM. 10.10.10.3 now sees a Syn, Ack come from 10.10.10.1 instead of 10.10.20.1 as it expects.

As far as the catch-all, a tpyical outbound wildcard vs would be needed. Then, just creating forwarding Vses for everything else.

For the SSH issue you describe, assuming neither end is sending keep-alive packets, you could just create an iRule for traffic destined for port 22 to have a longer timeout. Or, just create a new tcp profile for it.

Chris Miller

-----Original Message-----
From: lb-l-bounces@vegan.net [mailto:lb-l-bounces@vegan.net] On Behalf Of Rosenberry, Eric
Sent: Monday, September 21, 2009 11:29 AM
To: Load Balancing Mailing List
Subject: Re: [load balancing] F5 configuration help is needed

We actually have our F5 deployed in this manner, but one major issue for us is that without SNAT turned on, if you have one server on the subnet that needs to access another service through the F5 (that gets directed to other servers on the same subnet) then the packets end up flowing in a triangle and it does not work.

That being said, it can be a good solution for the right environment!

Also, I have not tested this myself, but when you set the F5 to be the default gateway I believe you have to create a catch-all virtual server (I forget the right terminology) to "route" packets that are not part of an established connection through the load balancer. I have heard complaints from my co-workers that even when they had done this in the past, they had issues with idle SSH sessions timing out due to the way the F5 handled things.

-Eric

-----Original Message-----
From: lb-l-bounces@vegan.net [mailto:lb-l-bounces@vegan.net] On Behalf Of Kenneth Salchow
Sent: Monday, September 21, 2009 9:12 AM
To: Load Balancing Mailing List
Subject: Re: [load balancing] F5 configuration help is needed

Tony--

Thanks for pointing out the default route option--it's one many people forget about--just because the BIG-IP is not *really* the outbound router doesn't mean it can't forward packets. Even if the servers in question may handle other services that don't go through the BIG-IP on the inbound, if you add a wildcard VS on the BIG-IP, it will still allow those services to work on the outbound--you just get an extra hop.

Anyway--good call Tony! :-)

KJ (Ken) Salchow, Jr. | Manager, Technical Marketing D 651.423.1133 M 612.868.1258 P 206.272.5555 F 206.272.5555 www.f5.com

-----Original Message-----
From: lb-l-bounces@vegan.net [mailto:lb-l-bounces@vegan.net] On Behalf Of Tony Bourke
Sent: Friday, September 18, 2009 6:20 PM
To: Load Balancing Mailing List
Subject: Re: [load balancing] F5 configuration help is needed

Hello Sezen,

Basically, we need to accomplish two things with this. We need to ensure traffic hits the F5 on the way in, and traffic hits the F5 on the way out.

As mentioned, there's the option of doing a SNAT, basically making all inbound web requests appear to the web servers to be coming from the F5
itself. Since the servers respond to the F5 directly, we ensure
traffic hits the F5 on the way in and on the way out.

Also, you can make the F5 the default gateway for your servers. That way, traffic hits the F5's VIP, gets forwarded to the server, the servers respond to the client, but use the F5 as the default gateway.
This ensures traffic goes through the F5 on the way out. The F5 uses its default gateway (your upstream router or firewall) and forwards the traffic onto the client. The true source IP address of the client is preserved in this scenario (it is not in the SNAT scenario).

Tony

sezen eren wrote:
> Hi all,
>
> I have an F5 installed in our system and I need to configure it.
>
> the servers behind F5 will be in same address range with the all
> servers in the network, there will be no privite VLAN behind F5,
> therefore I cannot implement NAT for the pool members, so I cannot
> forward traffic to these hosts?
>
> Since there will be no private internal vlan, I guessI need to use
> only external vlan and all traffic from outworld to F5 and from pool
> members to F5 shall go to external vlan.
>
> one more thing F5 doesn't let me set a management IP in the range of
> self IPs? I need to configure the management IP in same range becase I
> have been given /25 IP range to use for everything traffic, management
> bla bla :), how could I set this management IP within the self IPs range?
>
> I would appreciate if any of you can share configuration files of such
> an structure?
>
> br
> //sezen
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> lb-l mailing list
> lb-l@vegan.net
> http://vegan.net/mailman/listinfo/lb-l
> Searchable Archive: http://vegan.net/lb/archive http://lbdigest.com
> Load Balancing Digest http://lbwiki.com Load Balancing Wiki
>

_______________________________________________
lb-l mailing list
lb-l@vegan.net
http://vegan.net/mailman/listinfo/lb-l
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
http://lbwiki.com Load Balancing Wiki

iovation
111 SW Fifth Avenue
Suite 3200
Portland, OR 97204
http://www.iovation.com/

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this email message in error, please notify the sender by reply email and delete the message and any attachments.
_______________________________________________
lb-l mailing list
lb-l@vegan.net
http://vegan.net/mailman/listinfo/lb-l
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
http://lbwiki.com Load Balancing Wiki

_______________________________________________
lb-l mailing list
lb-l@vegan.net
http://vegan.net/mailman/listinfo/lb-l
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
http://lbwiki.com Load Balancing Wiki
Received on Mon Sep 21 12:45:24 2009

This archive was generated by hypermail 2.1.8 : Mon Sep 21 2009 - 12:45:24 EDT