For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Jan 28, 2010

Connectivity Issue Between Hosts & Real Servers in the same VLAN

Hi All,

 

 

As a test, I've set up a Virtual Server on the F5 to load balance HTTP traffic to two real servers in Vlan 502.

 

 

F5 (Active) --> core1

 

 

F5 (Standby) --> core2

 

 

There is a cross over from core1 to core2. And imagine a cloud to the right of the cores which represent the Vlans.

 

 

My issue is that hosts in the same Vlan can not access services/applications of real servers (which are also in the same vlan) when access is made via the Virtual Server IP. Access to the Virtual Server IP from other Vlans works a treat. Is there an issue with my forwarding VIP???

 

 

When a host from the same Vlan502 (eg:10.15.210.200/24) makes a connection to the Virtual Server IP 10.15.254.222/32, the connection just drops.

 

 

> telnet 10.15.254.222 80

 

Trying 10.15.254.222...

 

Connected to 10.15.254.2221.

 

Escape character is '^]'.

 

Connection closed by foreign host.

 

 

- Snippet of config shown below

 

- BIG-IP LTM, version 10.1.0

 

- Outside Vlan80

 

- Inside Vlan502

 

 

 

pool VMTEST_HTTP_POOL {

 

monitor all gateway_icmp and http

 

members {

 

10.15.210.84:http {}

 

10.15.210.85:http {}

 

}

 

}

 

 

virtual address 10.15.210.0 {

 

mask 255.255.255.0

 

}

 

 

virtual INSIDE_VLAN502 {

 

ip forward

 

destination 10.15.210.0:any

 

mask 255.255.255.0

 

vlans Vlan_80 enable

 

}

 

 

virtual VMTEST_HTTP {

 

pool VMTEST_HTTP_POOL

 

destination 10.15.254.222:http

 

ip protocol tcp

 

vlans Vlan_80 enable

 

}

 

 

virtual INSIDE_VLAN_TO_ANY_TCP {

 

pool VLAN80_HSRP_IP_POOL

 

destination any:any

 

mask 0.0.0.0

 

ip protocol tcp

 

vlans {

 

Vlan_502

 

} enable

 

}

 

 

virtual INSIDE_VLAN_TO_ANY_UDP {

 

pool VLAN80_HSRP_IP_POOL

 

destination any:any

 

mask 0.0.0.0

 

ip protocol udp

 

vlans {

 

Vlan_502

 

} enable

 

}

 

 

virtual INSIDE_VLAN_TO_ANY_ICMP {

 

ip forward

 

destination any:any

 

mask 0.0.0.0

 

ip protocol icmp

 

vlans {

 

Vlan_502

 

} enable

 

}

 

 

 

Thanks.

 

 

Andy
config
design

1 Reply

  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2010
    Argh worked it out...sort of...

     

     

    This is because return traffic from the real servers does not go back to the F5 because the host making the connection and real servers are on the same subnet - so it doesn't forward the request back to the floating ip on the F5 which is it's default gateway.

     

     

    Will probably need an iRule to SNAT traffic from hosts within the same Vlan/subnet so return traffic comes back to the F5.