F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Network_69318's avatar
Network_69318
Icon for Nimbostratus rankNimbostratus
Jul 13, 2011

BIG-IP LTM 6400: Direct access on real servers

Hi,

 

 

We've two BIG-IP LTM 6400 in active/standby configuration mode.

 

We've configured many Virtual Server but we can't directly connect to the real server.

 

The virtual network is on 1.6 interface and real server network is on 1.8 interface.

 

Below tcpdump's output on master BIG-IP:

 

 

14:48:17.676949 802.1Q vlan240 P0 CLIENT.51704 > SERVER.http: S 2466261397:2466261397(0) win 65535 (DF) [tos 0x10]

 

14:48:18.581313 802.1Q vlan240 P0 CLIENT.51704 > SERVER.http: S 2466261397:2466261397(0) win 65535 (DF) [tos 0x10]

 

 

I only see "SYN" packets and real servers receive nothing.

 

I enabled "net.ipv4.ip_forward" but I can't go directly to the nodes.

 

 

 

Thank you,

 

Regards

 

 

Daniele

 

 

config
design

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 13, 2011
    Hi Daniele,

     

     

    See this solution for options for allowing admin access to pool members or other hosts behind LTM:

     

     

    sol7229: Methods of gaining administrative access to nodes through the BIG-IP system

     

    http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7229.html

     

     

    A virtual server is generally the preferred method as it gives the most visibility and control over the connections.

     

     

    Aaron
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2011
    Hi Daniele,

     

    Keep in mind that the traffic is matched by the most specific IP forwarding virtual server. For example if you have virtual ip forwarding of 0.0.0.0:22 and 0.0.0.0:0 then the traffic for SSH will match the most specific defined.

     

     

    Bhattman

     

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 14, 2011
    For all my internal load-balancing VLAN's where the LTM is the default gateway, I ALWAYS configure a wildcard (Port 0) network virtual server of type forwarding for INBOUND admin traffic. That's usually enabled on all VLAN's... (There are exceptions, but they're not important here).

     

     

    I tend to do the same for DMZ LTM's. But the VS's are usually configured so that ALL traffic BETWEEN, TO or FROM VLAN's/DMZ's is passed via the firewalls...

     

     

    Then only the firewall needs to be concerned with whether traffic is allowed to pass from one network to another. The F5 is a Load Balancer (OK, Application Delivery Controller :), not a firewall.

     

     

    Oh... 'More Specific' is a tricky subject with LTM... The definition changed from v4 to v9.... In v9 the priority is on matching the MASK, not the port... See https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6459.html (Although I'm guessing not many people would be coming from v4 nowadays :)

     

     

     

     

     

    H