Forum Discussion

ucriola_95120's avatar
ucriola_95120
Icon for Nimbostratus rankNimbostratus
Mar 23, 2010

MQ Series

Hi All,

 

 

I was wondering if anyone else may have run into this issue, I have confgured a server in line with our F5 LTM (ie, no SNAT, servers default gateway is the F5) and im able to get mq series to connect through the external F5 interface to the server behind the F5 without an issue. However I havent been able to get MQ series to connect the other way (ie: from the server to the internal F5 interface). I have configured an outbound VS with an any/any. I have tried with a sNAT pool, Address translation, a NAT, and all i get from the inbound direction is the MQ queue just doesnt connect, if i take the F5 out of the path, MQ comes up both ways without an issue.

 

 

Im not an MQ expert, but just a look through the MQ doco suggests that it just uses port 1414 (TCP) as its only port for both inbound/outbound.

 

 

I have had alook for a deployment guide but there is only the websphere applciation server but nothing on mq series.

 

 

Regards,

 

 

UC..
config
design
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2010
    Two things stand out, mostly as a hunch based on a quick scan of the info found here: http://www.capitalware.biz/dl/docs/MQFirewalls.pdf . It sounds like you may have already done some or all of this, but just in case...

     

     

    1) For your return traffic sourcing from the queue, be sure and create a SNAT address that matches your external facing VS address. So create that in a snat pool, then bind that to your 0.0.0.0 VS. This way your queue consumers will see nothing but the BigIP VS address no matter how the traffic is flowing.

     

     

    2) You may need to disable port translation, especially on the external facing VIP. If the LTM translates that port either way it could break. I'm thinking that a flow like this is what may be causing your problem (again just a guess after only a few minutes of looking at that slide deck on firewalls and MQ):

     

     

    src_address:src_port --> Vip_addr:1414 -->(client src_port translation may occur here)-->MQ server

     

     

    So when MQ "responds", it may be that it's trying to use to this tuple: client src_address:translated src_port, in which case it'll break.

     

     

    Please update this post so we'll all benefit from your work! IMO there's a bunch more of this type of design in our future, so thanks for the post.

     

     

    -Matt

     

  • ucriola_95120's avatar
    ucriola_95120
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2010
    Hi Matt,

     

     

    Thanks for that reply, I'll give ti a shot today on our dev system and report back what the results.

     

     

    Regards,

     

     

    UC..