Forum Discussion
barely_128722
Nimbostratus
NimbostratusProblem talking to VIP from Internal Node
My apologies if this is the wrong group for this question.
Our somewhat simplified configuration:
+-----------------------------------------------+ +--------------------------------+
| | | |
| VLAN101 | | VLAN102 |
| | | |
| | | |
| VIP-64.100 VIP-64.101 VIP-64.102 | |VIP-72.100 VIP-72.101 |
+-----+>--------------^-----------------^-------+ +--------------------------------+
|Self-IP |Self-IP |Self-IP ^ ^
|64.10/11 |64.10/11 |64.10/11 |Self-IP |Self-IP
| | | |72.10/11 |72.10/11
|SNAT | SNAT |SNAT | |
| | | |SNAT |SNAT
| | | | |
+----+----+ +-------+-----+ +-------+------+ +-----+-------+ +-------+------+
|VLAN2000 | |VLAN2001 | |VLAN2002 | |VLAN2010 | |VLAN2011 |
| | | | | | | | | |
|192.x.y.z| |192.x.y2.z | |192.x.y3.z | |192.x.y4.z | |192.x.y5.z |
+----+----+ +------+------+ +------+-------+ +-----+-------+ +------+-------+
| | | | |
| | | | |
+---v----+ +----v------+ +-----v------+ +-----v-------+ +------v--------+
| | | | | | | | | |
| Node1 | | Node2 | | Node3 | | Node4 | | Node5 |
| | | | | | | | | |
+--------+ +-----------+ +------------+ +-------------+ +---------------+
We have multiple VIPs configured where each group of VIPs all share a single VLAN on the top/external side (e.g. 172.x.y.z/21). The bottom/internal side of each VIP has its own VLAN (192.168.x.y/28). SNAT is configured to translate each of the internal VLANs out to either the single Self-IP for VLAN101 or VLAN102 (really 2 since one is fixed and the other floating -- eventually we'll hook up the second F5 for failover). Each of the internal VLANs has a specific translation rule to translate it's internal IP range out to the external Self-IP. We don't have it configured with automap.
In addition to the above, we have route-domains defined. RD101 is the route domain for VLAN101. RD102 is the route domain for VLAN102 There is a route domain for each of the bottom VLANs (RD2000, RD2001, etc) whose parent is either RD101 or RD102.
Our problem is communicating from the internal nodes directly to the VIPs within a group. Nodes 1,2 or 3 which SNAT out to the Self-IP in VLAN101 are unable to establish connections to any of the VIPs in VLAN101. They are able to connect to the VIPs in VLAN102. If I run tcpdump on VLAN101 on the F5, I see the F5 trying to ARP for the address of the VIP (e.g. ARP: tell 172.16.64.11 the Mac of 172.16.64.100). Since the Self-IPs and the VIP addresses are part of the same VLAN (VLAN101), shouldn't the F5 be able to talk directly between the Self-IP and the VIP?
Here's an example of the kind of tcpdump out we are seeing:
23:51:05.138541 arp who-has 172.24.73.1 tell 172.24.72.11 out slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=2 inport=0 haunit=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
Any help would be greatly appreciated.
Thanks,
barry
Birddog_17215Are your VLAN101 nodes able to talk directly to each other? Do you see any traffic coming into the destination VIP?
While not as complex as your setup (i don't use route domains), if my nodes are on the same internal vlan and need to access each other thru their vitrual server, i use an irule on the virtual server to snat automap only if they are both on the same network. This fixes the problem of an asynchronous route where the return traffic is not sent back up to the F5 but to the requesting node directly, which is then dropped.- Kalpesh_48932Make sure you have route for SNAT IP's pointed back to F5 on server?
Also see if ARP is enabled on all VIP's