Forum Discussion
frank_thyes_309
Nimbostratus
NimbostratusIP forwarding
Hi Group,
we are migrating from PA address space to our own PI address space. Cooperation partners using domains like this: my.company.partner.com which point to our main IP address i.e 1.1.1.1, because I do not own the domain I can't change the IP by my own. Now we are migrating from 1.1.1.1 to lets assume 2.2.2.2 located on another HA pair of BigIPs.
The URL have to be the same because our application use it to decide which content have to be delivered.
How can I redirect / forward traffic for domain my.company.partner.com which points to 1.1.1.1 on bigip pair 1 to 2.2.2.2 on bigip pair 2 without changing the URL?
Any help is appreciated.
Best
Frank
22 Replies
frank_thyes_309Here we go...
curl -v -I http://2.2.2.2 -H "Host: test.abc.com"
* About to connect() to 2.2.2.2 port 80
* Trying 2.2.2.2... connected
* Connected to 2.2.2.2 (2.2.2.2) port 80
> HEAD / HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Accept: */*
> Host: test.abc.com
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 13 Oct 2012 13:18:37 GMT
Date: Sat, 13 Oct 2012 13:18:37 GMT
< Server: Apache/2.2.16 (Debian)
Server: Apache/2.2.16 (Debian)
< Last-Modified: Sat, 13 Oct 2012 07:36:35 GMT
Last-Modified: Sat, 13 Oct 2012 07:36:35 GMT
< ETag: "501f1-b1-4cbebdd2846c0"
ETag: "501f1-b1-4cbebdd2846c0"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 177
Content-Length: 177
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html
< X-Pad: avoid browser bug
X-Pad: avoid browser bug
* Connection 0 to host 2.2.2.2 left intact
* Closing connection 0- nitass
Employee
have you configured tmm route for 2.2.2.2 (e.g. default route) on the old bigip (i am not sure when you ping 2.2.2.2, did it use mgmt route or tmm route)?
can you try tcpdump on the old bigip while accessing http://1.1.1.1?
to screen
tcpdump -nni 0.0:nnn -s0 host 1.1.1.1 or host 2.2.2.2 and port 80
to file
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 1.1.1.1 or host 2.2.2.2 and port 80 - frank_thyes_309The old bigip device is using a default route, reachable through the self ip 123.123.123.123
[root@lb2:Active] config tcpdump -nni 0.0:nnn -s0 host 1.1.1.1 or host 2.2.2.2 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
17:51:22.351698 IP 123.123.123.123.55841 > 2.2.2.2.80: S 3039961864:3039961864(0) win 5840 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.364182 IP 2.2.2.2.80 > 123.123.123.123.55841: S 1491322061:1491322061(0) ack 3039961865 win 5792 in slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=512 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.364714 IP 123.123.123.123.55841 > 2.2.2.2.80: . ack 1 win 46 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.369011 IP 123.123.123.123.55841 > 2.2.2.2.80: P 1:156(155) ack 1 win 46 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.381035 IP 2.2.2.2.80 > 123.123.123.123.55841: . ack 156 win 429 in slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=512 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.381317 IP 2.2.2.2.80 > 123.123.123.123.55841: P 1:284(283) ack 156 win 429 in slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=512 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.381771 IP 123.123.123.123.55841 > 2.2.2.2.80: . ack 284 win 54 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.385329 IP 123.123.123.123.55841 > 2.2.2.2.80: F 156:156(0) ack 284 win 54 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.397684 IP 2.2.2.2.80 > 123.123.123.123.55841: F 284:284(0) ack 157 win 429 in slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=512 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094
17:51:22.397817 IP 123.123.123.123.55841 > 2.2.2.2.80: . ack 285 win 54 out slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=0 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094 - nitass17:51:22.381317 IP 2.2.2.2.80 > 123.123.123.123.55841: P 1:284(283) ack 156 win 429 in slot1/tmm1 lis= flowtype=130 flowid=D10F1C0 peerid=1A3A6E40 conflags=E26 inslot=0 inport=512 haunit=0 peerremote=00000000:00000000:0000FFFF:D4121204 peerlocal=00000000:00000000:0000FFFF:BCAEB90A remoteport=55841 localport=80 proto=0 vlan=4094 is this not http response?
- frank_thyes_309Sure it is. I did what you asked me to.
From the old device "curl -v -I http://2.2.2. 2-H "Host: test.abc.com" while dumping. - nitassFrom the old device "curl -v -I http://2.2.2. 2-H "Host: test.abc.com" while dumping.sorry to confuse. actually, i mean "curl -v -I http://1.1.1.1 -H "Host: test.abc.com" while running "tcpdump -nni 0.0 host 1.1.1.1 or host 2.2.2.2 and port 80" (to screen) or "tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 1.1.1.1 or host 2.2.2.2 and port 80" (to file).
- frank_thyes_309[root@lb2:Active] config curl -v -I http://1.1.1.1 -H "Host: test.abc.com"
* About to connect() to 1.1.1.1 port 80
* Trying 1.1.1.1... connected
* Connected to 1.1.1.1 (1.1.1.1) port 80
> HEAD / HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Accept: */*
> Host: test.abc.com
>
* Empty reply from server
* Connection 0 to host 1.1.1.1 left intact
curl: (52) Empty reply from server
* Closing connection 0
[root@lb2:Active] config tcpdump -nni 0.0:nnn -s0 host 1.1.1.1 or host 2.2.2.2 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
20:59:12.019359 IP 10.0.35.2.41072 > 2.2.2.2.80: S 3247471255:3247471255(0) win 4380 out slot1/tmm0 lis=vs_1.1.1.1_8 flowtype=128 flowid=13B2F540 peerid=2E4AB5C0 conflags=924 inslot=0 inport=0 haunit=1 peerremote=00000000:00000000:0000FFFF:D4120404 peerlocal=00000000:00000000:0000FFFF:D4120412 remoteport=41072 localport=80 proto=0 vlan=4094
20:59:15.019116 IP 10.0.35.2.41072 > 2.2.2.2.80: S 3247471255:3247471255(0) win 4380 out slot1/tmm0 lis=vs_1.1.1.1_8 flowtype=128 flowid=13B2F540 peerid=2E4AB5C0 conflags=924 inslot=0 inport=0 haunit=1 peerremote=00000000:00000000:0000FFFF:D4120404 peerlocal=00000000:00000000:0000FFFF:D4120412 remoteport=41072 localport=80 proto=0 vlan=4094
20:59:18.218981 IP 10.0.35.2.41072 > 2.2.2.2.80: S 3247471255:3247471255(0) win 4380 out slot1/tmm0 lis=vs_1.1.1.1_8 flowtype=128 flowid=13B2F540 peerid=2E4AB5C0 conflags=924 inslot=0 inport=0 haunit=1 peerremote=00000000:00000000:0000FFFF:D4120404 peerlocal=00000000:00000000:0000FFFF:D4120412 remoteport=41072 localport=80 proto=0 vlan=4094
20:59:21.419283 IP 10.0.35.2.41072 > 2.2.2.2.80: S 3247471255:3247471255(0) win 4380 out slot1/tmm0 lis=vs_1.1.1.1_8 flowtype=128 flowid=13B2F540 peerid=2E4AB5C0 conflags=924 inslot=0 inport=0 haunit=1 peerremote=00000000:00000000:0000FFFF:D4120404 peerlocal=00000000:00000000:0000FFFF:D4120412 remoteport=41072 localport=80 proto=0 vlan=4094
Looks like the device send the request to the outside host using the wrong interface. I expected 123.123.123.123 instead of the internal address 10.0.35.2 - nitassLooks like the device send the request to the outside host using the wrong interface. I expected 123.123.123.123 instead of the internal address 10.0.35.2is route for 2.2.2.2 in same subnet as 123.123.123.123 interface? 123.123.123.123 is tmm interface (selfip), isn't it?
- nitassnot sure if it is relevant. anyway, just in case if you have not yet seen it.
sol7336: The SNAT Automap feature may use an unintended self IP address
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7336.html - frank_thyes_3092.2.2.2 is a public address and 123.123.123.123 is one of the external public addresses on the device. On this box we have a default gw configured. Unknown public IP address should be routed to the default gateway, don't they?
From sol7336: If the selected address resides on the ingress VLAN, the BIG-IP system will not SNAT the traffic.
Incoming interface and outgoing interface are the same, looks like that's the point. Do you have a idea how I can get it working nevertheless?
