Forum Discussion
Liquid_22_54866
Nimbostratus
NimbostratusLoad Balancing Question
Hi All,
The company I work for recently inherited a F5-BIG-LTM-1500 v.9.1.2. We do have a support contract but I thought I would ask this question here first as we are having issues in getting our environment setup.
It's a basic configuration, or so I think. We want to load balance 3 servers running IIS 6. The F5 is on the same network segment, a DMZ, as the servers to be load balanced, which all are attached to a switch. The management interface of the F5 is on a different network segment however.
I have created the nodes, a pool, and a virtual server. We have 1 VLAN created with a self-ip, all of which is on the DMZ subnet, 192.168.199.x / 24.
One question is on the servers where should the default gateway point? To the self-ip or the router?
The traffic flow is as follows:
--> ---> --->
Attached to the :
I've read the deployment docs in full but still feel I'm missing something.
I'd appreciate any further insight anyone could offer.
17 Replies
- JRahm
Admin
Your configuration is refered to as BigIP-on-a-stick, or classically vip-bounceback.
Clients should hit the VIP, say 10.10.10.250:80. BigIP will need a snat (which can be defined in a snatpool, or simply select snat automap) applied to the virtual server if the servers are in the same subnet. The reason this is so is because if the F5 is not the default gateway and the traffic is passed with the originator's IP address as source, the servers will send the traffic directly back to the client, bypassing the F5. This is OK on some protocols, but not TCP, it will break. A configuration like this should work for you:virtual iis-vip { destination 10.10.10.250:http snatpool iis-snat pool iis-pool } snatpool iis-snat { member 10.10.10.250 } pool iis-pool { monitor all tcp_80 member 10.10.10.252:http member 10.10.10.253:http member 10.10.10.254:http }
Note that snat automap will use the self IP address assigned to the created vlan, whereas creating a snatpool and assigning the same IP address as your virtual gives you a certain level of control. 
Liquid_22_54866Great, thank you.
Here is our config:} node 192.168.199.10 { screen server a } node 192.168.199.20 { screen server b } node 192.168.199.30 { screen server c } pool iis_web_pool { lb method member least conn monitor all http and tcp member 192.168.199.10:80 member 192.168.199.20:80 member 192.168.199.30:80 } snatpool iis_snat { member 192.168.199.50 } virtual vs_iis { destination 192.168.199.50:80 snatpool iis_snat ip protocol tcp profile http tcp pool iis_web_pool }
Given that information above would you think our configuration is correct? The reason I ask is for whatever reason I cannot ping our virtual server IP address and I'm trying to determine if that's something wrong with the F5 or our network switch.
Just to reiterate the self-ip is 192.168.199.51 (only one VLAN) and the default gateway on the servers points to our router, which is 192.168.199.1
Thanks in advance.- JRahmAre you pinging from a different subnet? Does the bigip also default to 192.168.199.1? Do you have ACL's anywhere? There are a lot of reasons why ping would not work. The real question is does the app work?
- JRahmOK, a couple things here. The management network is not part of the TMM. Default route for tmm would be shown at the command line with the command b route list. This route should be to your server's default gateway as well, because this is where client traffic is coming from. So the NAT on your router/firewall should be for your vip. Now, for your testing, you need to be on a network that can succesfully route to the public translation, or be local on the server network. Trying to route through your management interface won't work.
- Liquid_22_54866Gotcha - I didn't think it was but just wanted to make sure.
Given that command I get "No route table entries were found." I think I need to set something up then??? - Liquid_22_54866I added the following:
route default inet { gateway 192.168.199.1 }
I still can't reach the virtual server IP so we may have a network issue, unless I added the wrong information above. When I get to the F5 via SSH and try to ping the virtual server IP I receive a destination host unreachable.
Thanks. - JRahmCan you ping the default gateway or the servers when ssh'd into the F5? If not, you may want to do a bigstart restart (which will be service impacting if any services are active)
- Liquid_22_54866Yes,
I can ping all the servers and the router when ssh'd into the F5. I think there are some stale VLAN entries. Do you know which file holds that information? The reason I think this is I was adding a new VLAN with a new IP to test and I received an error stating that a VLAN with the IP I was adding already exists. I checked the bigip_base.conf file but only saw the VLAN I should have so I'm not sure if a different file holds this info.
Thanks. - Liquid_22_54866I have good news. I ran the bigstart restart command for grins and now I can ping the virutal IP from both my workstation, the servers and from SSH.
My app is still not working but now I believe this is stricly a firewall issue and will have to engage our WAN guys.
I really appreciate the help. - JRahmAny time. Post back if you get stuck.
