Forum Discussion
walkerjt_97411
Nimbostratus
NimbostratusLTM multiple interface/vlan routing issue
I have a dilema that i believe has a remedy utilizing the many tools BigIP has but am unable to discover or maybe comprehend it! need help!
here is the scenario:
I h...
Joe_Willis_4776Nimbostratus
NimbostratusTo make sure I understand, I want to simplify and illustrate your failed scenario:
ENVIRONMENT
----------------------
VLAN 1 = 192.168.1.0/24
VLAN 2 = 192.168.2.0/24
Server A = 192.168.1.10
Server B = 192.168.1.11
BIGIP
interface 1.1 = 192.168.1.50
interface 1.2 = 192.168.2.50
VIP myVip
IP = 192.168.2.101
port = 80
default pool = myPool
POOL myPool has Server B as its member
SCENARIO
-----------------------
From Sever A, you are trying to access http://myVip/index.html and it's failing.
If I've captured what you are saying correctly, then you do indeed have a routing problem.
The whole time Server A's TCP Packet is traversing the network including when it reaches it's final destination, the Source IP will be 192.168.1.10. When Server B finishes whatever processing it does and wants to return the traffic, it says "hey, 192.168.1.10 is on the same VLAN as me, I can respond directly". Even if you have the default gateway of Server B set to the LB, the LB will make no routing decision on the traffic, won't even inspect the entire packet, and will forward the traffic on to Server A. If you look at the routing table of Server B, you'll see any entry that says for 192.168.1.0 mask 255.255.255.0 traffic use 192.168.1.11 as the gateway. It's as if Server B is responding directly to Server A, and thus the traffic is not egressing back the same way.
SNAT is the answer.
The easiest way to address your issue is to assign Automap to the SNAT pool for myVip. Doing this will cause the BIGIP to change the SOURCE IP of the tcp packet to itself before passing the tcp packet down to the pool (and then to the pool member). Doing this though will cause you to lose Server A's IP address in Server B's logs. If you want to maintain Server A's IP address (and any other server that lives on the the same VLAN and will be calling the VIP), then consider creating one to one global SNATs (if the number of servers is relatively small).
