Forum Discussion
TCP Connection Failed After Adding New Members
If I understand correctly, you have a virtual server with a client ssl profile (ssl cert on the F5) with a pool including 2 pool members on a separate vlan that's directly connected to the F5, but different the virtual server's vlan. Traffic flows from the internet to the ssl virtual server who then distributes traffic between the two servers on the vlan behind the F5. If you add servers to the pool that are not on a directly connected vlan behind the F5 with a return route through the F5's floating IP, you will have several situations, the main one being asymmetric routing. If that is the case you will probably need to do several things. The first one can be to activate SNAT Automap. This will require you to allow access through your firewalls from the F5's egress floating IP address to the pool members. This will also change the source IP address you'll see on your pool members from the client's IP address to the egress floating IP addresses of the F5s.
By asymmetric routing I mean the following: Client connects to the F5's virtual and establishes an ssl session F5 forwards traffic to selected pool member leaving the client's source address intact Pool member on the new separate vlan receives the request from the client and sends response back directly to client Client gets an error as it gets a response that's not encrypted and from a different IP address he sent the request to
For the connections to work correctly the requests and responses need to flow through the F5's ssl virtual server.
- Polarglock_3568Mar 27, 2018Nimbostratus
Thanks for the reply! Yes, you are correct about the flow. The two new members in the other compartment do get SNATed. The old members in the same compartment do not. We do get successful traffic to all 4 members however it appears to be an intermittent issue occurring only when the new members have been activated. We don't see the failures within our environment. We only see the failures coming from the Alertsite monitors with agents external to our environment. We also received complaints from clients.
Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com