Forum Discussion
Does Big-IP forward layer 4 to pool servers?
- Nov 29, 2022
Hi JamesCrk ,
How are you ,
I have tested your scenarios on my lab and found 2 different results.
( My implementation)
> 2 F5 VEs , one for monitoring whereas the other for publishing virtual servers and serve user data.I did my test in two differnet scenarios , I used ( Layer 4 TCP monitor " your demand" and http layer 7 monitor )
FOR (Layer 4 TCP monitor ) :
> I found as long as the virtual server is up on F5 , external monitor is able to open 3 way-handshake with second F5 , but this 3 way handshake connection stopped outside and F5 doesn’t Forward it to backend server.
> which means that if this virtual server become down for any reason , external monitor will not be able to open a 3 way-handshake with your F5 and it will mark this virtual server as down.
According that , no TCP traffic related to external monitor forwarded to the backend , it is only between External monitor and F5 from outside.
FOR ( Layer 7 http monitor )
> I have configured a custom http monitor to check periodically for a specific resource on web server.
> I found Extenal monitor opens ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) to F5 and F5 by its role recieves this traffic and opened a ( TCP 3 way handshake first with F5 and send a piece of http traffic " GET /custom_Path " ) and send it to servers.
> when server replied by ( 200 OK ) to F5 , F5 sent this responce back to External monitor , and here external monitor marked it as UP/available after getting the specified resource exactly.
I want to say now ,
Application Layer 7 health monitors from external monitors , F5 deals with these monitors as a users data traffic , take request and give them replay.
but with Layer 4 health monitors {TCP} , external monitor and F5 opens only ( a tcp 3 way handshake ) with each other if the virtual server is UP on F5 , and no traffic forwarded to web servers again related to (tcp 3 way handshake )
That was my analysis for your case After labing it and do all above test scenarios.
Regards
thanks for the reply, as we are also doing snat its a bit difficult to see using those methods, but it apepars to go all the way through to pool member
No , even if you use SNAT you are able to see all tcp conversation between external monitor and f5 and from f5 to servers.
Do this task I'm sure you will see these sessions.
> you can take this packet capture and send it to me , and give me these ips ( external monitor , f5 virtual server , snat ips "auto mapped or SNAT pool range" and ips of backend servers ) if this available with you.
I will expose you these streams exactly.
Regards
- JamesCrkNov 27, 2022Cirrus
Thanks have sent you cap file!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com