Forum Discussion

Hannu_Mallat_36's avatar
Hannu_Mallat_36
Icon for Nimbostratus rankNimbostratus
Sep 20, 2005

Handling inbound and outbound connections through the same LB node?

Hi,

 

 

I haven't been able to find an answer yet for the following problem in the documentation so I'm bothering the forum with it.

 

 

I'm sandwiching a bunch of traffic inspection devices between BigIP's. The devices are transparent on IP level, so I'm using virtual wildcard servers. The traffic flows (TCP sessions, UDP flows) can be initiated from either internal (client) or external (server) side, though usually the first flow originates from the internal side. Take as an example the "old style" (non-passive) FTP, the client initialises the control connection but the server the data connection.

 

 

How do I make sure that the same load balancing decision is made on both sides of the sandwich? I.e., if internal BigIP has decided to route ftp control connection through node N1, how do I assure that the external one routes server-initiated ftp data TCP session also through N1 and no other node?

 

 

Note that the problem is not specific to FTP, I'm merely using it as an example.

 

 

 

TIA,

 

Hannu

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Brian_Gupta_115's avatar
    Brian_Gupta_115
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2005
    In the case of FTP, F5 has written a protocol specific "profile" to handle this.

     

     

    As for other protocols, I defer to the developers, as this is beyond my experience. (I have a few ideas, but I'm not sure what is the best approach).

     

     

    -Brian

     

     

  • drteeth_127330's avatar
    drteeth_127330
    Historic F5 Account
    Sep 20, 2005
    First, let me say that this is tricky business. That being said, you have a couple of options. Since your device is transparent at L3, you can try hash mode persistence or using the session table. On the client side, you would hash on the source address and on the serverside you would hash on the destination address.

     

     

    The other option is to use related connections rather than a wildcard network virtual sandwich. For FTP and similar protocols, the control channel describes the related connections even if they are initiated by the server. The idea is to parse the control protocol and then create one or more related connections. Follow the links below for some info on related connections.

     

    Click here

     

    Click here

     

     

    Good luck!