Forum Discussion

JamesCrk's avatar
JamesCrk
Icon for Cirrus rankCirrus
Nov 25, 2022

Does Big-IP forward layer 4 to pool servers?

In the scenario a 3rd party device is health checking an F5 virtual server (tcp port check) would that be forwarded to the backend server or would the F5 terminate that itself? if the pool members were all down would a tcp handshake still succeed to the vip?

  • Hi JamesCrk , 
    How are you , 
    I have tested your scenarios on my lab and found 2 different results. 
    ( My implementation) 
    > 2 F5 VEs , one for monitoring whereas the other for publishing virtual servers and serve user data. 

    I did my test in two differnet scenarios , I used ( Layer 4 TCP monitor " your demand" and http layer 7 monitor ) 

    FOR (Layer 4 TCP monitor ) : 
    > I found as long as the virtual server is up on F5 , external monitor is able to open 3 way-handshake with second F5 , but this 3 way handshake connection stopped outside and F5 doesn’t Forward it to backend server. 
    > which means that if this virtual server become down for any reason , external monitor will not be able to open a 3 way-handshake with your F5 and it will mark this virtual server as down. 

    According that , no TCP traffic related to external monitor forwarded to the backend , it is only between External monitor and F5 from outside. 

    FOR ( Layer 7 http monitor ) 
    > I have configured a custom http monitor to check periodically for a specific resource on web server. 
    > I found Extenal monitor opens ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) to F5 and F5 by its role recieves this traffic and opened a ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) and send it to servers. 
    > when server replied by ( 200 OK ) to F5 , F5 sent this responce back to External monitor , and here external monitor marked it as UP/available after getting the specified resource exactly. 

    I want to say now , 
    Application Layer 7 health monitors from external monitors , F5 deals with these monitors as a users data traffic , take request and give them replay. 
    but with Layer 4 health monitors {TCP} , external monitor and F5 opens only ( a tcp 3 way handshake ) with each other if the virtual server is UP on F5 , and no traffic forwarded to web servers  again related to (tcp 3 way handshake ) 

    That was my analysis for your case After labing it and do all above test scenarios. 


    Regards 


  • Hi JamesCrk , 
    How are you , 
    I have tested your scenarios on my lab and found 2 different results. 
    ( My implementation) 
    > 2 F5 VEs , one for monitoring whereas the other for publishing virtual servers and serve user data. 

    I did my test in two differnet scenarios , I used ( Layer 4 TCP monitor " your demand" and http layer 7 monitor ) 

    FOR (Layer 4 TCP monitor ) : 
    > I found as long as the virtual server is up on F5 , external monitor is able to open 3 way-handshake with second F5 , but this 3 way handshake connection stopped outside and F5 doesn’t Forward it to backend server. 
    > which means that if this virtual server become down for any reason , external monitor will not be able to open a 3 way-handshake with your F5 and it will mark this virtual server as down. 

    According that , no TCP traffic related to external monitor forwarded to the backend , it is only between External monitor and F5 from outside. 

    FOR ( Layer 7 http monitor ) 
    > I have configured a custom http monitor to check periodically for a specific resource on web server. 
    > I found Extenal monitor opens ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) to F5 and F5 by its role recieves this traffic and opened a ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) and send it to servers. 
    > when server replied by ( 200 OK ) to F5 , F5 sent this responce back to External monitor , and here external monitor marked it as UP/available after getting the specified resource exactly. 

    I want to say now , 
    Application Layer 7 health monitors from external monitors , F5 deals with these monitors as a users data traffic , take request and give them replay. 
    but with Layer 4 health monitors {TCP} , external monitor and F5 opens only ( a tcp 3 way handshake ) with each other if the virtual server is UP on F5 , and no traffic forwarded to web servers  again related to (tcp 3 way handshake ) 

    That was my analysis for your case After labing it and do all above test scenarios. 


    Regards 


  • Hi JamesCrk , 
    I think but bot sure , F5 virtual server will forward this monitoring traffic to its backend servers and gets server responce back to your external monitor. 
    To make sure for this behavior take an end-to-end Packet capture and use the external monitor source ip which use it during sending the periodic health check. 
    use this command : 

    tcpdump -nnnveti 0.0:nnnp host "External_monitor_source_ip" -s0 -S -w /var/tmp/name_of_the_file.pcap

    using ":P" modifier in this command should show both of client and server side streams of packets. 
    so that you can see the health check traffic from your external monitor to F5 virtual server , and from F5 to backend server if f5 really  forward health check traffic to backend servers. 

    - Select some of these packets and follow its end-to-end conversation , you can do that by wireshark : 
    { Right Click on packet >> choose conversation filter >>> Choose F5 IP } 


    you can also issue this command to see active sessions : 

    tmsh show sys connection cs-client-addr " External_monitor_Source_ip"  

    If you find two sessions opened via F5 virtual server by external monitor ip , this will ne an evidence that F5 forwards external monitor traffic to backend servers. 

    But I strongly to take a packet capture and expose all streams of this external monitors. 

     try this and tell me. 
    Regards

    • JamesCrk's avatar
      JamesCrk
      Icon for Cirrus rankCirrus

      thanks for the reply, as we are also doing snat its a bit difficult to see using those methods, but it apepars to go all the way through to pool member

      • RajaShajeelAhmed 

        No , even if you use SNAT you are able to see all tcp conversation between external monitor and f5 and from f5 to servers. 

        Do this task I'm sure you will see these sessions. 

        > you can take this packet capture and send it to me , and give me these ips ( external monitor , f5 virtual server , snat ips "auto mapped or SNAT pool range" and ips of backend servers )  if this available with you.

        I will expose you these streams exactly. 

        Regards 

  • If Pool memebers are down and using health monitor then VIP will be down on F5 and it will not respond to any TCP connection.