Forum Discussion

John_Heyer_1508's avatar
John_Heyer_1508
Icon for Cirrostratus rankCirrostratus
Apr 01, 2015

GTM hands out private IP addresses, need it to hand out public/translated IPs

I want the GTM to balance on a pool of servers that are behind a firewall at a remote data center:

Server A has private IP 192.168.1.1, translated IP 198.19.1.1
Server B has private IP 192.168.1.2, translated IP 192.19.1.2
Server C has private IP 192.168.1.3, translated IP 192.19.1.3

The GTM needs to monitor the servers using private IP, as there are two healthchecks. The first is to do a basic check of port 443. The second is to check Tomcat in port 8080, which is not reachable via the public IP.

I've added the servers (being sure to fill out the translated IP address), created the pool, then created the WideIP. However, I always get back the private IP of the server.

It seems like in the server, pool, or wideIP configuration, there should be a checkbox to hand out the public IP addresses. What am I missing?

application delivery
availability
cloud
devops
iRules
monitor
TMOS

9 Replies

  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Apr 01, 2015

    If I understand your description then the addresses are backwards. The address field in GTM is the public IP and the translation field is the private IP. GTM resolves using the address field and the monitors also test the IP in the address field so in your case GTM would not be able to check port 8080 on the pub IP.

     

    I have not tested this (pretty sure it will work) but you might be able to work around this by creating two servers/virtual servers, one for the public IP and the other for private. Then in the public virtual server properties set virtual server dependency so it depends on the private addr virtual server. Assign you monitors so that if the private VS is unavailable then the public VS will be marked down also.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Apr 01, 2015

    The translation in GTM is for GTM communications only. Not for affecting the addresses that GTM hands out. It's a small distinction, but important... You only use them if there's a NAT between the GTM and the LTM (Or other device) that's serving the VS's.

     

    If you want to translate the addresses that GTM gives you, you need to do that externally, OR with an Rule (There's an LTM Rule that translates GTM addresses in the DNS response on codeshare... Which I'd provide a link to, but some kind soul has re-organised it, and I can't seem find my way around any more...).

     

    H

     

  • John_Heyer_1508's avatar
    John_Heyer_1508
    Icon for Cirrostratus rankCirrostratus
    Apr 01, 2015

    You're right; I had it backwards. Translation is the internal/private/real IP, whereas address is the external/public/mapped IP.

     

     

    So the good news is the GTM now hands out the public IPs.

     

    The bad news is I need the Tomcat healthcheck to use the internal IP, since Tomcat is not exposed to the public. I can't find any way to force this. Going to ask F5 support.

     

    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      Apr 02, 2015
      To test the private IP:tomcat you can create a virtual server for the private IP and apply the monitor there. This VS would not be in a wip pool, it is only for monitoring. Then in the public VS properties add the private VS to the dependency list. Now if pirvate IP:tomcat VS is down the public VS will also be down. Another method would be to create a monitor and configure the alias address and alias service port to test the private IP and Tomcat port. Then assign that to the public VS. With this second method you won't need to create the second private VS.
  • John_Heyer_1508's avatar
    John_Heyer_1508
    Icon for Cirrostratus rankCirrostratus
    Apr 02, 2015

    Thanks for the response. It sounds like using Dependencies for the server is what I want.

     

    For the second method, I would have to create a separate monitor for each server, correct? Monitor_1: Alias address 192.168.1.1, Monitor_2: Alias address 192.168.1.2, etc

     

    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      Apr 02, 2015
      Correct, one for each pri IP:port you need to check.
  • IbbyVK_337407's avatar
    IbbyVK_337407
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2018

    If you have https on the front end and 8080 on the back end servers, that implies that you are load balancing with what? F5 LTM? If so then the LTM is the one who is doing the health checks against the back end servers on 8080, and via iQuery will communicate to the GTM if any of them are down. Unless I am missing something. If you wanted the GTM to directly query the back end servers, does it have a route to their private IPs?

     

    • John_Heyer_1508's avatar
      John_Heyer_1508
      Icon for Cirrostratus rankCirrostratus
      Oct 23, 2018

      In this case the servers were in a remote data center managed thru a partner, and there was no LTM. The servers ran Apache Proxy on port 443 were being accessed via NAT translations on a Cisco ASA firewall. 8080 was the app port, and was not exposed to internet. The GTM had access to the server private IPs via VPN.

       

      But all moot now since the data center got an LTM in 2016 and then was retired in 2017.