Forum Discussion

Network_69318's avatar
Icon for Nimbostratus rankNimbostratus
Jul 13, 2011

BIG-IP LTM 6400: Direct access on real servers




We've two BIG-IP LTM 6400 in active/standby configuration mode.


We've configured many Virtual Server but we can't directly connect to the real server.


The virtual network is on 1.6 interface and real server network is on 1.8 interface.


Below tcpdump's output on master BIG-IP:



14:48:17.676949 802.1Q vlan240 P0 CLIENT.51704 > SERVER.http: S 2466261397:2466261397(0) win 65535 (DF) [tos 0x10]


14:48:18.581313 802.1Q vlan240 P0 CLIENT.51704 > SERVER.http: S 2466261397:2466261397(0) win 65535 (DF) [tos 0x10]



I only see "SYN" packets and real servers receive nothing.


I enabled "net.ipv4.ip_forward" but I can't go directly to the nodes.




Thank you,








4 Replies

  • Hi Daniele,



    See this solution for options for allowing admin access to pool members or other hosts behind LTM:



    sol7229: Methods of gaining administrative access to nodes through the BIG-IP system




    A virtual server is generally the preferred method as it gives the most visibility and control over the connections.



  • Hi Daniele,


    Keep in mind that the traffic is matched by the most specific IP forwarding virtual server. For example if you have virtual ip forwarding of and then the traffic for SSH will match the most specific defined.







  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    For all my internal load-balancing VLAN's where the LTM is the default gateway, I ALWAYS configure a wildcard (Port 0) network virtual server of type forwarding for INBOUND admin traffic. That's usually enabled on all VLAN's... (There are exceptions, but they're not important here).



    I tend to do the same for DMZ LTM's. But the VS's are usually configured so that ALL traffic BETWEEN, TO or FROM VLAN's/DMZ's is passed via the firewalls...



    Then only the firewall needs to be concerned with whether traffic is allowed to pass from one network to another. The F5 is a Load Balancer (OK, Application Delivery Controller :), not a firewall.



    Oh... 'More Specific' is a tricky subject with LTM... The definition changed from v4 to v9.... In v9 the priority is on matching the MASK, not the port... See (Although I'm guessing not many people would be coming from v4 nowadays :)