Forum Discussion
walkerjt_97411
Nimbostratus
NimbostratusLTM multiple interface/vlan routing issue
I have a dilema that i believe has a remedy utilizing the many tools BigIP has but am unable to discover or maybe comprehend it! need help!
here is the scenario:
I have an environment with four core switches servicing many different vlans and environments. we have connected our LTM to all switches and seperated communications by vlan and interface. this all seems to work perfectly for external users that are attempting to access services behind the BigIP's, but i have an issue with servers from one of the connected vlans for BigIP accessing the VIP address for services behind BigIP. this is i assume an asyncronous routing issue that shoul dbe resolvable.
The breakdown:
Successful scenario:
1.From the User’s vlan
2.To the BigIP VIP address vlan
3.To the Application Server
4.Back to BigIP
5.Back to the User
Unsuccessful setup
1.From the Server Vlan
2.To the BigIP VIP address vlan
3.To the Application Server
4.Back to BigIP
5.failes back to the Server
PLease help i can explain it more indepth if need be.
Joe_Willis_4776To make sure I understand, I want to simplify and illustrate your failed scenario:
ENVIRONMENT
----------------------
VLAN 1 = 192.168.1.0/24
VLAN 2 = 192.168.2.0/24
Server A = 192.168.1.10
Server B = 192.168.1.11
BIGIP
interface 1.1 = 192.168.1.50
interface 1.2 = 192.168.2.50
VIP myVip
IP = 192.168.2.101
port = 80
default pool = myPool
POOL myPool has Server B as its member
SCENARIO
-----------------------
From Sever A, you are trying to access http://myVip/index.html and it's failing.
If I've captured what you are saying correctly, then you do indeed have a routing problem.
The whole time Server A's TCP Packet is traversing the network including when it reaches it's final destination, the Source IP will be 192.168.1.10. When Server B finishes whatever processing it does and wants to return the traffic, it says "hey, 192.168.1.10 is on the same VLAN as me, I can respond directly". Even if you have the default gateway of Server B set to the LB, the LB will make no routing decision on the traffic, won't even inspect the entire packet, and will forward the traffic on to Server A. If you look at the routing table of Server B, you'll see any entry that says for 192.168.1.0 mask 255.255.255.0 traffic use 192.168.1.11 as the gateway. It's as if Server B is responding directly to Server A, and thus the traffic is not egressing back the same way.
SNAT is the answer.
The easiest way to address your issue is to assign Automap to the SNAT pool for myVip. Doing this will cause the BIGIP to change the SOURCE IP of the tcp packet to itself before passing the tcp packet down to the pool (and then to the pool member). Doing this though will cause you to lose Server A's IP address in Server B's logs. If you want to maintain Server A's IP address (and any other server that lives on the the same VLAN and will be calling the VIP), then consider creating one to one global SNATs (if the number of servers is relatively small).- walkerjt_97411you are almost completely correct in your capturing of the problem. everything is dead on except the part about server B being local to server A while this may be the case we have not run into that yet. the actuall scenario we are in is below:
ENVIRONMENT
----------------------
VLAN 1 = 192.168.1.0/24
VLAN 2 = 192.168.2.0/24
VLAN 3 = 192.168.3.0/24
Server B = 192.168.1.11
Server C = 192.168.3.10
BIGIP
interface 1.1 = 192.168.1.50
interface 1.2 = 192.168.2.50
interface 1.3 = 192.168.3.50
VIP myVip
IP = 192.168.2.101
port = 80
default pool = myPool
POOL myPool has Server B as its member
SCENARIO
-----------------------
From Sever C, you are trying to access http://myVip/index.html and it's failing.
i liked your layout of the description sorry i plagerized!
it seems as though bigip does not like the fact that it received a request on interface 1.2 sent it to the server needed but wants to send the traffic back on interface 1.3.
FLOW
----------
from server C ---> into interface 1.2(myVip) ---> out to server B --->returning to interface 1.1 --->out of interface 1.3 - Joe_Willis_4776hmm..
can you make sure on server B you don't have any static routes for 192.168.3.0/24? The LTM should forward everything; do you have a virtual forwarding server defined (we have one for all addresses and ports, I think by default one is defined). You could also try running some tcpdumps to see if you can determine where the issue is.
couple of questions:
- what are the default gateways for servers b and c?
- do you have any SNATs configured (or are using automap)?
- are there any switches in your env that are plugged into all VLANs as well?
The last one could cause you an issue. For instance, let's says that Server C's default Gateway is Switch1. However, Switch1 has interfaces on both 192.168.3.0/24 (call it int1) and 192.168.2.0/24 (call it int2). This would lead to asynchronous routing... - walkerjt_97411we checked that actually server B has his default gateway pointing to BigIP. connection to server B is successful from any environment other than a network that is local to BigIP.
couple of questions:
- what are the default gateways for servers b and c? server B = BigIP; server C = network router
- do you have any SNATs configured (or are using automap)? No
- are there any switches in your env that are plugged into all VLANs as well? Yes
i am positive that it is asyncronous routing except it is from the BigIP level. i am hoping that there is a way around it with BigIP's configurability. - walkerjt_97411BTW thanks for the help! i am the network architect so i know routing from that standpoint but i am not that familiar with BigIP.
Irfan_Gazi_3882Can you please draw the scenario. I am not able to get it completely.
Is it like this
Servers
|
|
Sw4(Interface/Vlan4)-----------BIGIP-------------(Interface/Vlan3)Sw3
/ \
/ \
/ \
/ \
/ \
Sw1((Interface/Vlan1) Sw2(Interface/Vlan2)- Irfan_Gazi_3882ENVIRONMENT
----------------------
VLAN 1 = 192.168.1.0/24
VLAN 2 = 192.168.2.0/24
VLAN 3 = 192.168.3.0/24
Server A = 192.168.1.11
Server B = 192.168.2.11
Server C = 192.168.3.11
BIGIP
interface 1.1 = 192.168.1.50
interface 1.2 = 192.168.2.50
interface 1.3 = 192.168.3.50
VIP myVip
IP = 192.168.2.101
port = 80
default pool = myPool
POOL myPool has Server B as its member
(I think i am right in understading the environment.
SCENARIO
-----------------------
" From Sever C, you are trying to access http://myVip/index.html and it's failing. " This means you are trying to access server B. - Irfan_Gazi_3882"""it seems as though bigip does not like the fact that it received a request on interface 1.2 sent it to the server needed but wants to send the traffic back on interface 1.3. """
I think the request will go from Server C to Interface 1.3 and not 1.2. And if the default gateway configured at Server C is the network switch/Router then there may be the problem. Issue with the IP/MAC strip and change. - Irfan_Gazi_3882So SNAT should solve it and i can refer to the same answer given earlier about the switch routing between two interfaces.
- dennypayne
Employee
Posted By jtwil1 on 09/30/2008 2:15 PM
The LTM should forward everything; do you have a virtual forwarding server defined (we have one for all addresses and ports, I think by default one is defined).
BIG-IP is a default deny device, so, no, there is no default forwarding of packets. Therefore the original poster needs to either configure a wildcard forwarding virtual server (0.0.0.0:0 - Type IP Forwarding) or use a SNAT to allow the packets to flow outbound.
Denny
