F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Benoit_C_'s avatar
Benoit_C_
Jun 07, 2013

GTM private IP versus public IP in GTM DNS answers

Hello all,     I have a question regarding the behavior of the GTM in the following conditions:     GTM must reply to DNS queries only coming from Internet, ie with public IP address...
config
design
Benoit_C_'s avatar
Benoit_C_
Jun 07, 2013
Hello Hamish,

 

 

OK thanks for the clarification. I will look then at writing an irule as much global as possible, trying to avoid to create one per VS (I have around 100 VS configured).

 

The fact is that per WIP, I have 4 pools configured in Global Availability with manual resume, thus I must make sure to return the 'up to date' value and not something static.

 

But not sure I will be able to make it a global rule.

 

 

And at the same time, discuss with the management to explain that probing the local VIP requires to use the external IP (the FW is the GW, it is only one hop more, we do not really go on Internet), if we do not want to use an Irule.

 

 

 

I see two ways:

 

 

- DNS request level: check if poolA is up, if yes provide an IP, else check if pool B is up and so on down to pool D

 

when DNS_REQUEST {

 

if { [DNS::rrname] eq "secure.a.com" } {

 

pseudo code

 

if GTM::poolA is up then host a.a.a.a else if GTM::poolB is up then host b.b.b.b else if GTM::poolC is up then host c.c.c.c else if GTM::poolD is up then host d.d.d.d

 

}

 

}

 

 

- DNS answer: Based on the private IP contained in the answer (pseudo code again)

 

when DNS_RESPONSE{

 

set new_host [host]

 

switch -glob [new_host] {

 

"10.0.0.a" {set host "a.a.a.a"}

 

"10.0.0.b" {set host "b.b.b.b"}

 

"10.0.0.c" {set host "c.c.c.c"}

 

"10.0.0.d" {set host "d.d.d.d"}

 

DNS::return

 

}

 

 

Do you think it could work ?

 

 

 

To answer to your question about Iquery: this is a wish of the management to not rely on a proprietary protocol for the GTM to get status of VS. that"s why I use HTTPS.

 

Meaning that we could replace GTM by any other DNS/GSLB server, and the LTM by any other LB.

 

 

If I declare the LTM as 'BigIP' instead of of 'Generic', even if I remove bigip from the list of monitors, the GTM will try to probe the port 4353. As a results, all VS go down. I have a case opened with F5 for this, because I'm also hitting SOL13865 (and upgrade to 11.2.1 HFA6 did not solve it).

 

 

thanks and have a nice w-e

 

 

--

 

Benoit