For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

esoteric22_2801's avatar
esoteric22_2801
Icon for Nimbostratus rankNimbostratus
Mar 25, 2010

Load Balancing Internal Network

I am a novice and I would really appreciate some help.

 

Here is our predicament We have three different applications which talk to each other using HTTP SOAP requests.

 

 

All application have a farm of web servers which is being load balanced by the F5.

 

 

Application A and Application B reside on the same network as the F5.

 

 

Application X is outside the facility and talks to A and B over the internet through the F5.

 

 

This part works fine, X can talk with A or B through F5 and the requests are load balanced.

 

 

Our predicament is we are unable to make App A talk to App B through the F5.

 

 

 

We defined a Virtual host in the same subnet and setup the application to route to the virtual host.

 

 

We enabled logging and we can see from the F5 Logs that the requests is being redirected to the correct pool. But we do not get any response.

 

 

On setting up a network trace on the recipient and sending Server we observed that the HTTP SOAP request is being sent by Application A to F5 but never gets through to Application B.

 

 

 

Is it possible to implement such a solution if so please advice.

 

config
design

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 25, 2010
    The problem is that app B is replying back directly to app A as they're on the same subnet. However, app A didn't initiate a connection to app B. It opened a connection to the virtual server IP. So app A ignores app B's response.

     

     

    If you're only using the virtual server for internal clients, you could enable SNAT automap on the virtual server so that LTM translates the source address to its IP address on requests to the pool for the virtual server. This ensures that the apps respond back to LTM.

     

     

    If you only want to apply SNAT when the source and destination hosts are on the same subnet, you could use an iRule:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html

     

     

    Aaron
  • esoteric22_2801's avatar
    esoteric22_2801
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2010
    Thank you for the prompt reply, we tried by setting SNAP to AutoMap and then tried the same request but with little luck.

     

     

    The only difference was this time we could not see any request going out directly to Application Server B , but we still did not get a response.

     

     

    Please forgive my ignorance , but is that all we need to do to enable SNAP or are there additional configurations to be done?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 26, 2010
    As far as IP layer config, that should be enough. Can you run a tcpdump on LTM on all switch interfaces filtering on the client and server IP addresses?

     

     

    tcpdump -nni 0.0 host CLIENT_IP or host SERVER_IP

     

     

    Thanks,

     

    Aaron
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2010
    As Aaron has already stated, snat is the way to fix this.

     

     

    This is the irule we use to selectively snat machines which are on the same subnet and need to communicate with machines behind the F5.

     

     

    when LB_SELECTED {

     

    if { [IP::addr [IP::remote_addr] equals [LB::server addr]/24] } {

     

    snat automap

     

    }

     

    }

     

     

    Just change th2 /24 to whatever mask your subnet uses and save it as an irule and then apply to your virtual server.