Forum Discussion
NimbostratusProblem with servers using F5 as DG
NimbostratusThis scenario isn't that uncommon. I've seen it a lot at Fortune 50 companies using IBM/IHS-WAS combinations. Shared resources/modules/services on the same box. I've also seen variations of SAP do this. The SAP implementation would get ugly sometimes because ip_address/host info would be parsed in the sap payload, if I am recalling correctly. Both of these are by design.
Mike,
1) Read Kevin's post again. Once that "un-snat'd" packet comes across, all the communication is local. The only part I have concern with is the option of static routes. The static routes won't work because the 10.2.1.0 network is a directly connected interface. It will always win.
2) Something is missing here. Perform a tcpdump again and catch a transaction. What is the port (VS:port_combo) for this middleware vs? 10.1.1.1:xx ??? ex: tcpdump -ni internal x.x.x.x port xxxx
3) Automap should work fine. Without it, the communication might be breaking due to confusing arp entries on the server(s) since the first syn packet will have the F5's mac address and the reply would theoretically be the server arp entry in the local cache of the destination server. Just thinking out loud here. Could be wrong. Is "Allow SNAT" set to "No" at the pool level (advanced settings)?
4) Perhaps you could use an iRule with 1:1 SNAT mappings to pool members. At least this would satisfy the logging need for original source ip addresses.
5) I would also create an additional FastL4 server (10.1.1.x) and see if it behaves any differently with and without snat enabled. I'm sure you can temporarily use a single server point to this new vip for testing.
6) What happens when you manually configure a server to point to a middleware server's ip address specifically and not use the vip (bypass LTM) ? Does that work?
I have ran into this problem before but I just can't recall how I solved it. I think I used an iRule to swap ip addresses, etc. Just can't remember. sorry.
Either way , some piece of data seems to be missing. The fact that AutoMap doesn't work lets me know we are missing some data here. Let's get those tcpdumps. Feel free to post config snippets as well.
- The scenario you explain suggests possibly a loop (packets going back and forth between VIP and server until TTL expires). Perhaps this guy has autolasthop disabled.
- Also in this situation, it is not exactly connections that the servers are sending back, just the same packets but with the payload modified (compression perhaps). In the few such scenarios I've seen, the users typically configure specific virtual servers for the external-to-internal communications, and specific ones to handle the server-to-vip connections, placing both on different VLANs.
