Forum Discussion
Doug_104173
Nimbostratus
NimbostratusLoad Balancing External Nodes
Hi, I'm trying to load balance some nodes that are on our EC2 share from the virtual LTM running 10.1 inside our network. I've got the virtual server setup and a pool that is populated with the external nodes out on EC2. The external nodes pass the health check and I can access each individual node from my browser and get a response. But when I try to hit the virtual IP from my browser I get connection reset by peer. I'm not seeing anything being denied on my firewall. Any ideas?
hoolioCirrostratus
Hi Doug,
Do you have SNAT enabled on the VS so that LTM will translate the serverside source IP to its floating self IP?
Aaron
Doug_104173Yes, I have the SNAT Pool set to auto map. I also have the VLAN and tunnel Traffic set to all VLANS and Tunnels, address Translation and port Translation are both enabled and Source Port is set to Preserve.- hoolioIf you run a tcpdump looking for the client or server IP's, do you see any packets going to the server? Do you see a response? You can use a tcpdump command like this to check:
tcpdump -ni 0.0 -s0 host CLIENT_IP or host SERVER_IP
Aaron - Doug_104173Ok, so one question, it looks like all the health checks, and traffic out to the EC2 nodes is using the MGMT interface on eth0, not the self Ip, is that correct, should it use the SelfIP instead? I ran the tcpdump on the eth0 interface and looking for one of my external node IPs, and here is what I got back. The 172.18.0.18 is my MGMT address on eth0 and the 184.73.230.13 is the external IP of my EC2 instance:
15:54:54.303532 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: S 1099469672:1099469672(0) win 5840 15:54:54.313691 IP 184.73.230.13.etlservicemgr > 172.18.0.18.40241: S 1751514931:1751514931(0) ack 1099469673 win 5792 15:54:54.313760 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: . ack 1 win 46 15:54:54.314159 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: P 1:10(9) ack 1 win 46 15:54:54.324281 IP 184.73.230.13.etlservicemgr > 172.18.0.18.40241: . ack 10 win 46 15:54:54.326633 IP 184.73.230.13.etlservicemgr > 172.18.0.18.40241: P 1:953(952) ack 10 win 46 15:54:54.326653 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: . ack 953 win 61 15:54:54.326762 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: F 10:10(0) ack 953 win 61 15:54:54.327099 IP 184.73.230.13.etlservicemgr > 172.18.0.18.40241: F 953:953(0) ack 10 win 46 15:54:54.327153 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: . ack 954 win 61 15:54:54.533685 IP 172.18.0.18.40241 > 184.73.230.13.etlservicemgr: F 10:10(0) ack 954 win 61 15:54:54.543304 IP 184.73.230.13.etlservicemgr > 172.18.0.18.40241: . ack 11 win 46 - hoolioMonitor and load balanced traffic should be routed out a switch port; not a management port:
SOL6163: Error Message: Health check would route via mgmt port
https://support.f5.com/kb/en-us/solutions/public/6000/100/sol6163.html
You can fix this by adding a TMM route under Network >> Routes which points the traffic out a switch port.
Aaron - Doug_104173Ok, I looked at the bigger picture and added a secondary network interface to my LTM so now none of the health check traffic is going out the MGMT interface.
I'm still not seeing any traffic on the Self IP of the LTM virtual when I try to access the Virtual Server Instance IP address. The nodes still pass their health check though and I can see the traffic going out to them on EC2.
Any ideas? - Chris_Miller
Altostratus
Posted By Doug on 06/15/2010 12:29 PM
Ok, I looked at the bigger picture and added a secondary network interface to my LTM so now none of the health check traffic is going out the MGMT interface.
I'm still not seeing any traffic on the Self IP of the LTM virtual when I try to access the Virtual Server Instance IP address. The nodes still pass their health check though and I can see the traffic going out to them on EC2.
Any ideas?
When you say that you don't see the traffic on your SelfIP - are you looking at traffic on the physical self-ip or the floating self-ip? SNAT will use the floating one...
