Network Virtual Servers

With this setup, you're essentially saying anything destined for 94.136.40.224/29 over HTTP should be sent to pool http.linweb.pool with address translation disabled. So, you haven't necessarily created an instance at 94.136.40.224/29. You've created a specific method by which to access that network via pool http.linweb.pool.

 

 

Make sense?

Think of a network virtual server as a router. Anything destined for the IP range specified by the VS address and Mask will be routed to the destination 9Pool in your case).

 

 

In order to get the packets TO the LTM you need to treat it as a router... i.e. direct your traffic THROUGH the floating self-ip address of the interface that the VS is enabled on (Or any of them by default of course).

 

 

H

What Hamish says is exactly right on...

 

 

 

You will need to create a self IP and floating IP on the LTM for your HTTP/inside vlan. This means you'll need 3 IP's per inside vlan - one for the active unit, one for the standby unit and one floating IP across both units (provided you have a HA set up).

 

 

The real machines (nodes) in the http.linweb.pool will then have their default gateway changed to that of the floating IP. This is very important so that the return traffic will go back via the LTM so in effect it makes the virtual server act very much like a "router".

 

 

HTH

 

 

Andy

Hi folks,

 

 

I'm having a similar issue with a network virtual server. In my case the layout is like this:

 

 

Outside Network <> Firewall <> LTM <> Router <> Internal Network

 

 

I have configured a network virtual on the LTM using a network range that only exists on the LTM. Both the firewall and the router have routes to this network.

 

 

I find that hosts on the internal network can access the network virtual just fine, but hosts on the outside network cannot (tcpdump shows arp requests from the firewall that are not answered by the LTM just like the OP described above).

 

 

As I understand it network virtuals are not supposed to respond to ARP requests so I understand why the firewall arps aren't getting responses, but my question is - since I have a static route on the firewall and the router pointing to the network virtual on the LTM, why does the firewall think it needs to arp in the first place? It's as if the network virtual is responding differently to requests via the router and via the firewall for some reason.

 

 

Thanks in advance for any suggestions!

 

 

-Simon.

 

 

Simon, if you have the network only exists on the LTM, I am not sure you will need the network VS. Network VS is meant to allow traffic to transit through LTM when host on one side/VLAN of the LTM wants to get to the other side/VLAN. Something like, your server side is 1.1.1/24 and your firewall side is 2.2.2/24, then for firewall to get to the server side, you will need to configure 1.1.1.0 network VS and enable it on all vlans, or at least on the firewall side.

Thanks for the response. The reason for the network virtual is that I'm using it with an irule and data group to pass through traffic to a set of servers without any load balancing. Don't ask why this traffic needs to go through the LTM in the first place - let's just call it for "historical reasons"!

 

 

The odd part is that the network virtual works fine when accessed from hosts in the inside network (e.g. client - router - network virtual) but not from the outside (client - firewall - network virtual). Both the firewall and router have a static route for the network virtual range pointing to the outside or inside IP of the LTM respectively. The only obvious difference is that the firewall does address translation as well as routing, but this doesn't seem to be an issue in itself as a host virtual I set up on the LTM works just fine through the firewall - it's just the network virtual that doesn't work.

 

 

I'm still hung up on why the firewall is trying to arp for the address of the host in the network virtual it is trying to talk to - since the firewall has a static route for the network virtual it seems that it would just route that traffic to the LTM. The failed arp request makes it look like the firewall thinks the network virtual is on a directly connected L2 network which obviously it isn't.

 

 

If anyone has had success with this configuration (sending traffic to a network virtual through a firewall - in my case Cisco ASA) please let me know!

 

 

Cheers,

 

 

Simon.

 

Hmm..

 

 

If your firewall is expecting the LTM to ARP respond for the network VS, then it's not configured right. The only reason it would be doing that is if the firewall considered the network represented by the network VS to be directly attached. WHich it isn't (Because if it was, you wouldn't need a network VS in the first place).

 

 

You either need to use a network VS and a ROUTE from the firewall TO the network VIA the BigIP floating IP, OR you use the network range on that VLAN and configure individual VS's on it... Not both.

 

 

Any chance that you could attach a LOGICAL diagram showing where the networks and vans actually exist?

 

 

H

Sure - I've attached a simplified version of my lab setup. I agree that the firewall shouldn't be expecting an ARP response for the network VS - it should be using it's static route to send traffic for the network VS to the LTM's external IP.

 

 

-Simon.

 

Trying again for an attachment upload...

 

Are you SNAT'ing the traffic through the network VS destined for the two servers? It doesn't say you are, but you'd have to if they're not in the 10.10.60.0/24 subnet (And the diagram has them as 10.10.10.11 and 10.10.20.12).

 

 

If your ASA is ARPing for the 10.10.60.0/24 addresses when the VLAN700 is (Presumably) 10.10.70.0/24), then I'd check the configuration of the ASA... It doesn't sound like it's got everything configured correctly...

 

 

H