Scenario: Two real servers behind the F5. Real server have the F5 private interface as their DG. VIP is setup for the pool with the two real servers. Forwarding VIP is setup for inbound and outbound traffic to the real server ip address. Issue: Client can reach the server pointing to the real server ip address, but not the virtual ip address. If SNAT is turned on, the VIP will work. Any and all ideas are welcome. This is a test environment so changes can be made.

Configuring forwarding virtual servers on the public and private side of the BIG-IP will essentially turn it into a router. The first question would be what are you trying to accomplish? Generally, forwarding virtual servers aren't used to load balance across pool members. The community can help get you setup properly if we know what you're trying to do.

The forwarding VIP is to allow access to the real IP address for system admins and to allow the servers to get updates from the internet or other servers in the network. There is a single 0/0 forwarding VIP. This is just a basic setup to test load balancing. This is for a customer of mine and they were testing some things b/c they were having issues with the forwarding VIP behaving correctly. Setting up the test bed and this issue popped up. I have the same setup in my lab with the VE edition without the HA piece and it all works as expected. Talking to a fellow engineer, he was leaning towards a possible bug. Code is 11.2.1 HF7 I think.

I agree that a forwarding virtual server is a good fit for allowing your backend servers access out to Internet resources for updates, browsing, etc. I assume this access is working as intended? If you intend to use load balancing, a different type of virtual server might suit you best. In the absence of any special requirements, a standard type should suffice. Ensure you are allow port and address translation on your virtual server. For administrator access to servers, I'm unsure why you'd be using load balancing in this case. Or why you'd put F5 in that path to begin with.

No, that isn't what the load balancing is for. The servers are actually being load balanced for a purpose. The forwarding VIP was just added so the server admin could reach their server to perform administrative functions. There is a normal a VIP for access to the pool to test load balancing HTTP. This is the part that is not working. The client can reach HTTP to a real server IP but not through the VIP. There were some issues with the forwarding VIP b/c a server behind the F5 couldn't access resources without having SNAT turned on. This breaks the application such as Cisco ISE since the server logs the client source IP. The F5 engineer stated there was asymmetric routing somewhere but we couldn't find it.

Can you post your normal virtual server and pool configuration? Sanitized of course.

Inline F5 not working

16 Replies

jrmorris_151361
Nimbostratus
Apr 24, 2014
What appears to be happening is that the VIP is being advertised by the standby box. I have confirmed this by looking at the tables. The route to the real server, however, goes through the primary f5. That must be why turning SNAT on fixes the issue. How do I get the VIP to advertise out of the primary box and not the standby>

nitass

Employee

Apr 24, 2014

How do I get the VIP to advertise out of the primary box and not the standby

can you check if virtual address is associated to correct traffic group?

e.g.

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 172.28.24.10
ltm virtual-address 172.28.24.10 {
    address 172.28.24.10
    mask 255.255.255.255
    traffic-group traffic-group-1
}

jrmorris_151361
Nimbostratus
Apr 24, 2014
admin@(SJ505DCF51)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 10.200.40.100 ltm virtual-address 10.200.40.100 { address 10.200.40.100 floating disabled mask 255.255.255.255 traffic-group none unit 0 }

I show none, how do I assign the VIP to the default traffic class? Specifically in the GUI?

EDIT: I just found it. Is this something I will need to do for each VIP, or can I make each VIP I create default with this?

nitass

Employee

Apr 24, 2014

I show none, how do I assign the VIP to the default traffic class? Specifically in the GUI?

this is for tmsh.

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm virtual-address 172.28.24.10 traffic-group ?
Specifies the traffic group for the virtual address. The default traffic group is inherited from the containing folder.

for gui, it is at local traffic > virtual servers > virtual address list.

nitass
Employee
Apr 24, 2014
Is this something I will need to do for each VIP, or can I make each VIP I create default with this?

i understand it is a bug. if parent folder's traffic group is correct, it would not be an issue.

sol14104: The traffic group definition may be missing from the '/ ' and '/Common' partitions

http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14104.html
jrmorris_151361
Nimbostratus
Apr 24, 2014
This appears to have resolved my issue. I will be upgraded to 11.4.1 HF3 next week to address this bug. Thanks for your help.

Forum Discussion

Inline F5 not working

16 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

Working with MasterKeys

How OneConnect Profile works with Cookie Persistence

How Proxy SSL works on BIG-IP

Lightboard Lessons: SSL Visibility - The Ultimate Inline Inspection Architecture

F5 iRUule not working

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS