Forum Discussion
CirrusLTM Websense loadbalancing VIP resets connection
The traffic flow for this connection is:
DMZ(on firewall) 10.0.0.0/24 range -> hits a IP 192.168.1.x ->
SRC NAT(outgoing interface of the fw) and DST NAT (to VIP:8080) ->
NO AUTO MAP, Persistence used -> Loadbalanced across websense pool ->
reply goes back the same interface of the fw which was used for the src NAT IP.
In the pcaps from LTM, the VIP resets the connection after a GET from the src NATTED IP. And the reset from the LTM only says "TCP retrasmission timeout".
From read this thread: https://devcentral.f5.com/questions/load-balancing-web-proxy-servers
It seems that the TCP profile low time out value could be as issue here but I'm not sure and not sure how to test this.
On another note I feel the SRC NATTED address on the fw interface is exhausting its limit of 64k ports and hence the LTM is failing to respond in time.
What troubleshooting approach can I go to from here. Just started with f5s.
Thanks.
The backend websense node just didnt have a route back to the fw's natted IP address and so it was never responding, once that was added the issue is solved now.
2 Replies
Simon_BlakelyEmployee
It sounds to me that you have an asymmetric traffic path with a virtual that expects traffic to return through the LTM.
If you want to use an asymmetric traffic path, you need to use n-Path routing which requires a Performance Layer-4 virtual with a FastL4 profile implementing Loose Initiation/Loose Close
Alternatively, to use a Standard virtual, traffic must return to the LTM by using a SNAT/SNAT Automap configuration.
Allwyn_MascarenThe backend websense node just didnt have a route back to the fw's natted IP address and so it was never responding, once that was added the issue is solved now.
