pool members can't connect to their own Virtual Server

Hi,

 

 

Do you have SNAT enabled on the virtual server? Chances are you're getting asymmetric routing when the client gets sent to either itself or another server on the same LAN. If you only want to SNAT server to VS to server traffic you can use an iRule like this:

 

 

http://devcentral.f5.com/wiki/iRules.SelectiveSNAT.ashx

 

 

Aaron

Agree with Aaron here, sounds like the LTM is in an "One Armed" Deployment and the options for 'Port translation' and a SNAT/Automap pool is not configured on the VIP.

 

 

Was this the fix??

 

Agree also that asymmetric routing is probably the case.

 

In case that you having the servers pointing to the f5 as Gw (or similar) and you ping from server it will only showing that you reach the VS (because it´s the Vs itself that respond to that ping).

 

And because you can ping it, we know that you have enabled it on the servers vlan.

 

 

So when your servers try to reach their own VS, it will be asymmetric routing.

 

Server A try to reach vs X but the answer is coming from B (or even from server A it self because of LB).

 

server A drops the connection because it has not talked to B.

 

 

So the fix is then to implement SNAT for everybody or changes the vs you have to only the external vlan and then make another one for only your server vlan with a snat (same ip but different name).

 

 

In case of one armed i guess SNAT for all or an Irule that Hoolio said.

 

 

/Beinhard

I had a similar issue which was resolved with SNAT per the discussion here, in my case just needed to go into ADVANCED settings on the virtual server and then switch SNAT Pool to "Auto Map" and Source Port to "Preserve".

I use the Selective_SNAT irule for this case.

 

 

Namely the one for when both the client and destination are on the same /xx subnet.

 

 

So the servers can still see the source IP when the traffic is coming from the outside.

 

 

Its interesting...that before I came along to work iRule magic on the F5....one of the groups having this issue, did it by moving the part that needs to talk to the VS to outside the F5....so the clients talk to this one server and the server talks back to the VS. But, there's 4 nodes in the pool on the F5....so if one goes down...no problem. But, there's only one server on the outside...and if it goes down (again)....oops.

 

 

Though my boss has wondered if there's a performance hit from this iRule....though hard to tell from the CPU graph, because the F5 pair have uptime > 49.7 days.

Where is the guy who actually had a problem.... :) we need ur feed back.....

Probably Hoolio solved his problem and everyone else kept going

 

 

Bhattman

Slightly related to this topic. In a case where you need to preserve the source IP what do you do? SNAT overwrites the source address to itself or from a pool you define.

 

 

The only way forward for me I saw was to create seperate vlan's for clients and servers. We already have two for this purpose, so I guess we need more. What we have is that one web service can have multiple data sources which often need to be load balanced themselves. Is there another way this could have been done?

 

 

 

From this post here https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/2161864/showtab/groupforums/Default.aspx Micheal Yates mentions v11 has Sideband connections but the hardware we have this running on are 3400's which don't allow v11. and he also mentions snat and modifying Trusted X-Forwarded-For header but this will only apply to HTTP

 

My bad guys, we took care of this issue and i never returned to say what we did and i hate it when i come across threads like this on the net.

 

 

You guys are right we are in a one-armed configuration and we had to setup a SNAT pool with the VIP under the snatpool list and the nodes in the pool defined in the SNAT and calling the SNAT pool.

 

 

After setting this everything can talk and all is well.

 

 

I have also noticed that all of the deployment guides call for a SNAT setting to automap, what's up with that?

I have the same issue guys I am not able to see any server in the pool using the big IP as their Gateway. I get page not found. It is not allowing me to loop back.

 

Can anyone give me step by step instructions I have version 11.6 and I have Source Address Translationset to: Automap