Forum Discussion

Dwight_Marzolf_'s avatar
Icon for Nimbostratus rankNimbostratus
Feb 13, 2012

traffic flow from new vlan

Hi Everyone,



I recently inherited an F5 BIG-IP LTM in the lab for which I am now responsible. I am a newbie to managing an F5. I have gone through most of the online F5 Essentials Tutorial which has helped a lot along with reading various documents. When I took over the F5 the only machines being load balanced were physical machines and all was working. We recently attempted to do load balancing through the F5 of some virtual machines from another vlan.



I setup a virtual server with an IP address configured to communicate on this new vlan. I created a pool with two VMs to load balance from this virtual server. I setup the standard http monitor and I'm using port 8080. The VMs in the pool show green as does the virtual server.



If I go to another machine and do a wget to each of the VMs in the pool I get a good response back (I get an index.html file) If do a wget to the virtual server I get the error "(Connection reset by peer) in headers". I have tried setting the SNAT Pool in the Virtual Server to Auto Map without success. I have tried creating a SNAT that mapped the IP addresses of the two VMs to the Virtual Server. I get the same results no matter which of these I have tried.



My conclusion is that I am missing something simple to make this config work. There are potentially other VMs that we would want to load balance if we can get the load balancing to work on the subnet where these VMs reside. Any help or insight into this issue would be greatly appreciated.





Dwight Marzolf

8 Replies

  • Hi Dwight,



    Thanks for the complete problem statement. I'd guess that the non-local servers don't have a route back to LTM's self IP or virtual server IP which points to the same VLAN the packet went out of LTM from. Can you create a custom SNAT pool for the virtual server and ensure there is a route on the servers or the intermediate router(s) to get the reply back to LTM over the same VLAN?



  • Hi Aaron,



    Thank you for your response. I did more reading trying to make sure I understand the SNAT concept correctly. While I understand the various concepts and examples I have seen for SNATs I am having trouble translating it to what I have on my F5. So, I'll add some the specific IP address examples (some numbers changed to protect the innocent).



    The F5's external VLAN is on the subnet. Internal VLAN is The subnet with the VM's that we are trying to load balance are on the subnet with netmask of



    I am attempting to load balance two VM machines on the subnet (10.38.159.xx and 10.38.159.xx). I created a pool with the above two ips in them using port 8080. We setup a virtual server with an ip address of that points to the pool with the above two servers. Client requests to these two will also come from the subnet. For example when I do the wget command I am coming from to the virtual server of and attempting to reach one of the two servers in the pool.



    I believe your assessment that the two servers in the pool are routing around the F5 is correct. The default gateway on all of these VMs is When you suggested using a SNAT pool I attempted to put the two VMs I'm trying to load balance into the SNAT pool. That didn't work. As I read more I felt like I was understanding less and less about how I should setup a SNAT pool for these two VMs. I also tried going into the Route section of the F5 and tried to setup something that would route the subnet to the 92 subnet which didn't work.



    I'm putting this info out here so you can give me some concrete suggestions and guidance about how I should setup this SNAT configuration.



  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    Think of SNAT as a proxy.



    The connection comes into the LTM. The LTM opens a separate connection to the poolmember. The LTM then proxies all your traffic from client over to the pool member. Transforming it as it goes according to the settings of your VS (e.g. iRules).



    The pool member therefore sees the clientip of the connection as the IP address of the LTM (Floating selfIP if configured, IP from a SNATPool if configured).


    So when using SNAT, the pool member doesn't need to be able to route back to the actual clientIP. Just like your web proxy at work. (Except the connection is kind of in reverse because the proxy is local to the server, and not local to the client :)




  • if you run tcpdump, traffic flow should look like this. is client is virtual server is selfip is pool (server)

    (1) client sends SYN to virtual server

    (2) virtual server sends SYN+ACK to client

    (3) client sends ACK to virtual server, so client-side's 3-ways handshake is completed.

    (4) bigip (selfip) sends SYN to pool

    (5) pool sends SYN+ACK to bigip

    (6) bigip sends ACK to pool, so server-side's 3-ways handshake is completed.

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       ip protocol 6
    [root@ve1023:Active] config  b pool foo list
    pool foo {
       members {}
    [root@ve1023:Active] config  b self list
    self {
       vlan internal
       allow default
    [root@ve1023:Active] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    (1) 01:05:56.745896 IP > S 1485823336:1485823336(0) win 8192 
    (2) 01:05:56.745928 IP > S 3652669928:3652669928(0) ack 1485823337 win 3780 
    (3) 01:05:56.749901 IP > . ack 1 win 4410
    (4) 01:05:56.749954 IP > S 1586067383:1586067383(0) win 4380 
    (5) 01:05:56.750925 IP > S 2303747747:2303747747(0) ack 1586067384 win 5840 
    (6) 01:05:56.750933 IP > . ack 1 win 4380
  • this is very good article about how tcp connection is set.



    sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types




    hope this helps.
  • Thanks to everyone who responded to my last post. I finally got a chance to do a little testing based on the info presented. What I have discovered using tcpdump is that the virtual server is never actually talking to the servers in the pool. So, we are never getting to the issue of routing back from the servers in the pool. To this point I have not figured out with the limited time I have spent on this why the virtual server cannot talk to these servers in the pool.
  • What I have discovered using tcpdump is that the virtual server is never actually talking to the servers in the pool.does the virtual server use http profile? if yes, bigip has to receive HTTP request ,e.g. GET, before sending SYN packet to pool member. if not, after finishing 3 way handshake, bigip should send SYN packet.
  • Good News! I finally got it working. Using tcpdump I tried a couple of different configs till I got F5 to acutally route traffic to the VMs in the pool (which is were I erroneously thought I was at when I started this conversation). The config that solved this part was setting up a route for the 158 subnet that routed to the default gateway on the 92 subnet (which is also the external VLAN). Then I set the SNAT Pool for the Virtual Server to Auto Map and it all started working. Thank You once again to everyone that responded and gave me insight into my problem and debugging suggestions.