Forum Discussion

romolo82's avatar
romolo82
Icon for Cirrus rankCirrus
Mar 13, 2024

Latency between F5 and WAF

Hi, 

a Fortigate WAF was inserted into our network infrastructure before the F5 balancer.

Now, the problem is this: we have two F5s in active/standby, when load balancer 1 is the active one, calls via the WAF have excessive latency; when load balancer 2 is active, however, communication is normal.

The two balancers are perfectly equal.

Have anyone any suggestions on what to investigate to resolve the issue?

 

Thanks, regards

3 Replies

  • Hi Romolo82,

     

    Please compare the self IP of both the LTMs, and see the default port lockdown settings, and see what port setting is allowed on those each self IP.

    Check and compare all the self IP  allows service details on both the working and non working F5.

    Network section related setting including Self IP settings do not copy/sync from one box to another in HA setup, only LTM section or other config get replicated, so check if there is any config mismatch in Self IP settings. Details which are not visible from GUI. only CLI you can get these settings to compare further

     

    list /net self

    This will result in an output that looks like the following:


    net self internal {
        address 10.10.10.1/24
        allow-service all
        traffic-group traffic-group-local-only
        vlan internal_vlan
    }

    https://my.f5.com/manage/s/article/K17333

    K17333: Overview of port lockdown behavior (12.x - 17.x)

    🙏

     

  • packet captures on different places in the path. try to find where the latency is caused. if it is the F5 itself you can certainly contact support to look into that further.

    does all traffic go through the FortiGate WAF? if not it is interesting to see if there is a difference there.

  • probably there is L1-L2 problem between the waf and f5lb1.

    have you check the ping from waf to client-side self IPs?