For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mdaghrir's avatar
mdaghrir
Icon for Nimbostratus rankNimbostratus
Mar 28, 2019

Issue with servers on the same subnet as pool of SMTP nodes

We built a load balanced virtual server with three SMTP nodes. All the nodes have a virtual server as their gateway in order to keep the original IP of the client.   Everything work perfectly exce...
BIG-IP
devops
LTM
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Mar 28, 2019

Yeah. Presumably the nodes on the same VLAN as the SMTP servers are using the VS to talk to SMTP. So the traffic from client to server goes via the BigIP. However because the SMTP servers are on the same VLAN as the client the return traffic goes direct to the clients instead of via the BigIP

 

That means the bigip only sees 1 path. And because bigip is a full proxy it wants to see the client to VS as 1 connection and bigip to SMTP as a second connection. Because it only sees half of both, the connections don't work.

 

You have a couple of choices

 

  1. Implement policy routing on the SMTP servers. Over-ride the return traffic so ALL SMTP traffic goes back via the BigIP and not direct even when the client is on the same subnet. (Presumably you actually mean the SMTP servers have a floating IP as their gateway, not a VS).

     

  2. You could implement the LB as n-path... But that would assume you don't want to do anything with the traffic other than LB'ing it.

     

  3. SNAT the traffic for clients on the same VLAN. That should have worked fine. I'd probably look at it again because intermittent problems sound like something else was broken. Or the SNAT wasn't quite right.