Load Balancing Question

Hi All,

The company I work for recently inherited a F5-BIG-LTM-1500 v.9.1.2. We do have a support contract but I thought I would ask this question here first as we are having issues in getting our environment setup.

It's a basic configuration, or so I think. We want to load balance 3 servers running IIS 6. The F5 is on the same network segment, a DMZ, as the servers to be load balanced, which all are attached to a switch. The management interface of the F5 is on a different network segment however.

I have created the nodes, a pool, and a virtual server. We have 1 VLAN created with a self-ip, all of which is on the DMZ subnet, 192.168.199.x / 24.

One question is on the servers where should the default gateway point? To the self-ip or the router?

The traffic flow is as follows:

--> ---> --->

Attached to the :

I've read the deployment docs in full but still feel I'm missing something.

I'd appreciate any further insight anyone could offer.

microsoft

partner

JRahm
Admin
May 15, 2007
Your configuration is refered to as BigIP-on-a-stick, or classically vip-bounceback.

Clients should hit the VIP, say 10.10.10.250:80. BigIP will need a snat (which can be defined in a snatpool, or simply select snat automap) applied to the virtual server if the servers are in the same subnet. The reason this is so is because if the F5 is not the default gateway and the traffic is passed with the originator's IP address as source, the servers will send the traffic directly back to the client, bypassing the F5. This is OK on some protocols, but not TCP, it will break. A configuration like this should work for you:
virtual iis-vip { destination 10.10.10.250:http snatpool iis-snat pool iis-pool } snatpool iis-snat { member 10.10.10.250 } pool iis-pool { monitor all tcp_80 member 10.10.10.252:http member 10.10.10.253:http member 10.10.10.254:http }

Note that snat automap will use the self IP address assigned to the created vlan, whereas creating a snatpool and assigning the same IP address as your virtual gives you a certain level of control.
Liquid_22_54866
Nimbostratus
May 15, 2007
Great, thank you.

Here is our config:
} node 192.168.199.10 { screen server a } node 192.168.199.20 { screen server b } node 192.168.199.30 { screen server c } pool iis_web_pool { lb method member least conn monitor all http and tcp member 192.168.199.10:80 member 192.168.199.20:80 member 192.168.199.30:80 } snatpool iis_snat { member 192.168.199.50 } virtual vs_iis { destination 192.168.199.50:80 snatpool iis_snat ip protocol tcp profile http tcp pool iis_web_pool }

Given that information above would you think our configuration is correct? The reason I ask is for whatever reason I cannot ping our virtual server IP address and I'm trying to determine if that's something wrong with the F5 or our network switch.

Just to reiterate the self-ip is 192.168.199.51 (only one VLAN) and the default gateway on the servers points to our router, which is 192.168.199.1

Thanks in advance.
JRahm
Admin
May 15, 2007
Are you pinging from a different subnet? Does the bigip also default to 192.168.199.1? Do you have ACL's anywhere? There are a lot of reasons why ping would not work. The real question is does the app work?
JRahm
Admin
May 15, 2007
OK, a couple things here. The management network is not part of the TMM. Default route for tmm would be shown at the command line with the command b route list. This route should be to your server's default gateway as well, because this is where client traffic is coming from. So the NAT on your router/firewall should be for your vip. Now, for your testing, you need to be on a network that can succesfully route to the public translation, or be local on the server network. Trying to route through your management interface won't work.
Liquid_22_54866
Nimbostratus
May 15, 2007
Gotcha - I didn't think it was but just wanted to make sure.

Given that command I get "No route table entries were found." I think I need to set something up then???
Liquid_22_54866
Nimbostratus
May 15, 2007
I added the following:
route default inet { gateway 192.168.199.1 }

I still can't reach the virtual server IP so we may have a network issue, unless I added the wrong information above. When I get to the F5 via SSH and try to ping the virtual server IP I receive a destination host unreachable.

Thanks.
JRahm
Admin
May 16, 2007
Can you ping the default gateway or the servers when ssh'd into the F5? If not, you may want to do a bigstart restart (which will be service impacting if any services are active)
Liquid_22_54866
Nimbostratus
May 16, 2007
Yes,

I can ping all the servers and the router when ssh'd into the F5. I think there are some stale VLAN entries. Do you know which file holds that information? The reason I think this is I was adding a new VLAN with a new IP to test and I received an error stating that a VLAN with the IP I was adding already exists. I checked the bigip_base.conf file but only saw the VLAN I should have so I'm not sure if a different file holds this info.

Thanks.
Liquid_22_54866
Nimbostratus
May 16, 2007
I have good news. I ran the bigstart restart command for grins and now I can ping the virutal IP from both my workstation, the servers and from SSH.

My app is still not working but now I believe this is stricly a firewall issue and will have to engage our WAN guys.

I really appreciate the help.
JRahm
Admin
May 16, 2007
Any time. Post back if you get stuck.

Forum Discussion

Load Balancing Question

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Load Balancing TCP TLS Encrypted Syslog Messages

What is Load Balancing?

NGINXaaS for Azure: Load Balancing

Load Balancing Omnissa Unified Access Gateway with BIG-IP LTM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS