Load Balancing Question

Hi All,

The company I work for recently inherited a F5-BIG-LTM-1500 v.9.1.2. We do have a support contract but I thought I would ask this question here first as we are having issues in getting our environment setup.

It's a basic configuration, or so I think. We want to load balance 3 servers running IIS 6. The F5 is on the same network segment, a DMZ, as the servers to be load balanced, which all are attached to a switch. The management interface of the F5 is on a different network segment however.

I have created the nodes, a pool, and a virtual server. We have 1 VLAN created with a self-ip, all of which is on the DMZ subnet, 192.168.199.x / 24.

One question is on the servers where should the default gateway point? To the self-ip or the router?

The traffic flow is as follows:

--> ---> --->

Attached to the :

I've read the deployment docs in full but still feel I'm missing something.

I'd appreciate any further insight anyone could offer.

microsoft

partner

17 Replies

DDreggors_21345
Nimbostratus
Jun 15, 2007
Using the same setup guidlines as you mention above, I can see the web pages (from all three servers) and all works well on my LTM except one rather annoying fact. My load balaced servers are Apache on Linux and when I look at the logs the remote host for every entry is the IP of my LTM! I have called support and they gave me several methods to try to get around snat which all failed at getting the true source ip of the remote host into those logs! I was wondering why this would be and if you have any suggestions?

Here is my setup:

VIP: 192.168.10.249

Self IP: 192.168.10.1

Server 1: 192.168.10.2

Server 2: 192.168.10.3

Server 3: 192.168.10.4

Default GW of LTM: 192.168.10.254 (Gateway Router)

Default GW of Servers: 192.168.10.1 (Self IP of LTM)

Note:

I notice you say to use the IP of the VIP not the SelfIP for the default gw, the gw on my servers is NOT the IP of the VIP, the support engineers had me set it up this way.

I also have ALL SNAT turned off (set to none) in advanced section of virtual server and no SNAT Pools or Pool members defined.

Thank you for any help you can give as this is a serious issue with my company as we use third party applications that read our logs and give is stats/accounting info which rely heavily on that entry. Since we do not have rights to modify the source code on these apps we are stuck until we can get this resolved in the LTM.
Mark_Harris_608
Cirrus
Jun 15, 2007
You may want to reboot or reload the configuration, because if you have the Self-IP of LTM as the gateway for the servers (although you should use the shared IP alias for failover), and you have no SNAT configured, you should see the orginal Client IP as the address in the server log. I suspect you have SNAT Automap or default SNAT configured and you are unaware of it. When the servers and VS are on the same subnet a SNAT is required, unless like in your case, the default gateway of the servers is the LTM.

Make sure you are changing the correct LTM also if you have redundant pair. You may be changing the standby and using the active.
Tech_Imp_40243
Historic F5 Account
Jun 15, 2007
If you can't turn off SNAT you may want to check out Soluiton 4816 (https://tech.f5.com/home/solutions/sol4816.html) on AskF5. It maps out how to X-Forwarded-For HTTP to keep the orginal IP address from being translated by a SNAT.
DDreggors_21345
Nimbostratus
Jun 16, 2007
I suspect you have SNAT Automap or default SNAT configured and you are unaware of it. When the servers and VS are on the same subnet a SNAT is required, unless like in your case, the default gateway of the servers is the LTM.

Nope, I am painfully aware of *ALL* the SNAT options as I have been in many phone calls with F5 and read much documentation. I have the following set:

Under Virtual Servers:

SNAT Pool [none] (no automap)

Under Pools (node pools):

Allow SNAT [NO]

Under SNAT:

SNAL List [Empty]

SNAT Pool List [Empty]

SNAT Translation [Empty]

NAT List [Empty]

As it turns out I have corrected the issue. Right under the drop down for "Allow SNAT" in Pools was another option to allow NAT (which is not SNAT). Once I turned that off the IPs started showing up right in the logs!

Also, in answer to jamesh:

If you can't turn off SNAT you may want to check out Soluiton 4816 (https://tech.f5.com/home/solutions/sol4816.html) on AskF5. It maps out how to X-Forwarded-For HTTP to keep the orginal IP address from being translated by a SNAT.

Cannot use headers that are added in as a cutstom tag for a few reasons but one of the main ones is securtity. Custom Tag X-Forwarded-For can be spoofed.
Tech_Imp_40243
Historic F5 Account
Jun 18, 2007
Glad to hear you are up and running!
Danie_Smit_1037
Nimbostratus
Oct 08, 2007
Hi

The default gateway needs to point to your firewall. What you should do is enable SNAT on the LTM so that the client source IP is natted to that of the source nat IP on the F5.This wil prevent asymetric routing.It will also stop the firewall from dropping "out of state" packets when the client request and sever reply is not part of the same TCP session.

Your traffic flow should be as follows

Trafiic flow from Client to Server

client->Internet->router/firewall->switch->LTM Virtual-ServerIP

From the LTM to the server

LTM SNAT IP->Web Server.

The reply from the server will then be

Server->LTM SNAT IP->LTM Virtual ServerIP->Switch->Firewall and back to the client over the Internet.

Cheers

Danie
Angel__Herrera_
Nimbostratus
Jan 03, 2008
I have my LTM self IP address configured as a gateway on my servers, I can route and ping across the network but I can not ping the self IP address from the servers. There is no Firewalls in between just a layer 2 switch.

Any suggestions?

thanks

Angel