Forum Discussion
Simple balancing doesn't work
Good morning community, I have to configure, for my work, a F5 VE. So, I download F5 VE 13.1.4 in my lab @home and install it on VMWare to make practice and understand the F5 basics. What I did is configure internal and external network VPN and assign related IP. Then Pool/Nodes and a Virtual Server listening on port 5000.
Everything looks good:
From F5 I can reach both nodes, even with a simple telnet on port 5000. From external network I can reach external F5 interface. The problem is that F5 doesn't route connection to the pool.
This is my network topology:
As I wrote, external network can reach VSERVER at 10.3.0.100 on port 5000. Then from F5 I can reach nodes in the pool always on port 5000. The problem here is when from a client (external network) I try to connect to VSERVER, it seems the connection is ESTABLISHED for a while, but not forwarded to internal network.
While I tried to establish a connection from a client from external network (10.3.0.128), this is what happen:
1 0.000000 10.3.0.128 → 10.3.0.100 TCP 70 61440 → 5000 [SYN] Seq=0 Win=64240
2 0.000219 10.3.0.100 → 10.3.0.128 TCP 66 5000 → 61440 [SYN, ACK] Seq=0 Ack=1
3 0.002661 10.3.0.128 → 10.3.0.100 TCP 58 61440 → 5000 [ACK] Seq=1 Ack=1
4 0.006505 10.3.0.128 → 10.2.0.129 TCP 66 61440 → 5000 [SYN] Seq=0 Win=4380
5 0.059742 10.3.0.128 → 10.3.0.100 IPA 115 unknown 0x30
6 0.059768 10.3.0.100 → 10.3.0.128 TCP 58 5000 → 61440 [ACK] Seq=1 Ack=58
7 3.003461 10.3.0.128 → 10.2.0.129 TCP 66 [TCP Retransmission] 61440 → 5000 [SYN] Seq=0 Win=4380 Len=0 MSS=1460 SACK_PERM=1
10 12.004963 10.3.0.100 → 10.3.0.128 TCP 113 5000 → 61440 [RST, ACK] Seq=1 Ack=58
11 12.004980 10.3.0.128 → 10.2.0.129 TCP 106 61440 → 5000 [RST, ACK] Seq=1 Ack=1
I'm getting crazy since configuration should be ok, could someone help me?
Thank you very much,
Lucas
Hi Lucas,
Is SNAT active on the virtual server? If SNAT is not active, your connection may fail due to asymmetric traffic. When you telnet over the CLI, there is no connection problem because the source IP is F5. The same goes for monitor requests.
K7820: Overview of SNAT features:
https://support.f5.com/csp/article/K7820
Hi Lucas,
Is SNAT active on the virtual server? If SNAT is not active, your connection may fail due to asymmetric traffic. When you telnet over the CLI, there is no connection problem because the source IP is F5. The same goes for monitor requests.
K7820: Overview of SNAT features:
https://support.f5.com/csp/article/K7820- LucasReyNimbostratus
HI Enes_Afsin_Al, thank you for reply.
I read the page you linked me, and understand the concept behind SNAT, now is working. What I did is create a simple SNAT where external network 10.3.0.0/24 is translated to 10.2.0.3 (so the internal F5 interface), so that NODE can reply.
Before SNAT, I did a trace on one of the server NODE and I can see:
So, node receives SYN from external client (10.3.0.128) but is not able to reply since NODE cannot reach that IP. That's probably the reason because it doesn't work.
After using SNAT, NODE receives packet from internal F5 interface IP and is now able to reply to that interface:
Am I right? Is what i did correct?
./Lucas
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com