Forum Discussion
Nimbostratusone-arm mode load balancing without snat?
Hi,
I have a customer that wants to deploy one-arm mode due to high demand in management traffic of the nodes. the nodes would have static routes to management networks and a default route to the F5 BIG-IP.
the nodes would still receive load balanced traffic from the internet. which would go through the BIG-IP. return traffic to the internet would also go through the BIG-IP because the nodes have a DG going to the BIG-IP self IP.
I guess a good way to describe this is a "hybrid" topology
one-arm mode because the virtual server is on same vlan as NODES.
routed mode because the nodes use the BIG-IP as the default gateway.
I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool. is snat required one using one VLAN for all traffic?
10 Replies
What_Lies_Bene1Cirrostratus
Yes, SNAT is required for one-arm mode. However, I'm not sure what you've described is one-armed mode. Are the Virtual Server and the connecting clients (from the Internet) all in the same VLAN/IP subnet. Are the client source IPs source NATted before they reach the VS?- nitass
Employee
I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool. you should see traffic (e.g. syn) to pool even snat is not enabled. the problem will happen if client is in the same vlan/subnet as virtual server/node because return traffic will be sent directly from node to client. 
symtex_22198the connecting clients are in remote networks they are not local.
the client IPs are not source NATted before they reach the VS. The VS will only have to send the traffic to the default gateway.
nitass:
I don't SYNs being forwarded to the pool which is kind of confusing. seems to be configured correctly. I ran it through ihealth and it looks ok. none of the app requests are local they are from remote networks.- nitassdon't SYNs being forwarded to the pool which is kind of confusing. seems to be configured correctly. I ran it through ihealth and it looks ok. none of the app requests are local they are from remote networks.what tcpdump command did you run to verify? was it something like this?
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y
x.x.x.x is virtual server ip
y.y.y.y is pool member ip - symtex_22198
I used
tcpdump -n -i appvlan host x.x.x.x or host y.y.y.yeven though SNAT was disabled I still should have seen the traffic to the pool member.
- What_Lies_Bene1Can we just clarify, the Virtual Server and the Pool Members are on the same VLAN/subnet yes?
- symtex_22198yes
- What_Lies_Bene1
You should of seen the Health Monitor traffic when you did the tcpdump. Can I assume you have health monitors and they are marking the pool members as up?
- symtex_22198yes the health monitors are configured. there is one basic icmp health monitor associated with the node. and there is a TCP health monitor that is associated with the pool. both are showing as up.
- nitassi suggest you open a support case and let them assist to check. you should see syn packet to pool member anyway. it must have something missing there.
