Forum Discussion

Scott_C_16492's avatar
Scott_C_16492
Icon for Nimbostratus rankNimbostratus
Feb 15, 2011

Network Virtual Servers

Hi I'm trying to create a single virtual for a range of IPs pointing to the same pool.

 

 

All added ok via the gui, here's the config looks like:

 

virtual address 94.136.40.224 {

 

mask 255.255.255.248

 

}

 

virtual wildcard-test.vs {

 

pool http.linweb.pool

 

destination 94.136.40.224:http

 

mask 255.255.255.248

 

ip protocol tcp

 

profiles

 

http

 

tcp

 

}

 

 

So I'm expecting everything in 94.136.40.224/29 to listen to port 80 and forward traffic through to the pool http.linweb.pool

 

 

This doesn't work as expected though.

 

 

Doing a tcpdump on the LTM, I see my router arp'ing for the IP, but the LTM doesn't respond:

 

 

[me@biggerip01:Active] ~ tcpdump -i vlan704 net 94.136.40.224/29

 

tcpdump: listening on vlan704

 

14:39:02.406927 arp who-has 94.136.40.224 tell 94.136.40.254

 

14:39:05.411933 arp who-has 94.136.40.224 tell 94.136.40.254

 

 

Running a pair of 6400s with 9.4.8 HF4

 

 

Any ideas what I'm doing wrong, or is this not how the network VIPs work?

 

 

Scott
config
design
  • SThorpe_111884's avatar
    SThorpe_111884
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2011
    Thanks Hamish. Yes the network VS has SNAT automap on (and yes sorry VLAN 700 is indeed 10.10.70.0):

     

     

    virtual NETVIP1 { snat automap destination 10.10.60.0:any mask 255.255.255.0 ip protocol tcp rules IRULE1 profiles fastL4 translate address enable translate service enable }

     

     

    If this looks correct on the F5 side then I'll dig more into the ASA config, though debugging on the ASA shows the ACL, xlate, etc are all working as expected.

     

     

    The odd thing is that access through the ASA works fine for a host VS that points to one of the same back end servers, it just doesn't work for the network VS.

     

     

    -Simon.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 28, 2011
    Based on the description (The ASA is ARP'ing for 10.10.60.0/24 addresses) it doesn't look like an F5 problem... It sounds like you may have something specific in place for the host VS's on the ASA that's different from the traffic addressing the network VS?

     

     

    H
  • SThorpe_111884's avatar
    SThorpe_111884
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2011

    I agree - sounds like I need to try a few different ASA configurations to see if I can get to the bottom of it. I did note that adding a static arp entry on the ASA that ties a given IP in the network VS to the MAC address of the outside interface of the LTM allowed traffic to flow as expected to that IP, but I still need to figure out why the ASA is arp'ing in the first place instead of using its static route.

     

     

    If I find a solution I'll post it back here in case anyone else runs into this.

     

     

    Thanks!

     

     

    -Simon.