Working around a disabled auto last hop

Hi Guys ,

 

 

I've attached a diagram to illustrate the connection.

 

 

Got myself into a situation where my applications (the Internal user segment) stopped functioning after we had to disable the auto last hop function due to a fix recommended by F5 Tech Team to get our apps in Partners & Customer segment working. The F5 LTM's are actually to serve the latter 2 segments and i was thinking of utilizing it for internal apps to save costs.

 

 

Things to consider :

 

 

a) All the segments are seperated via 3 different wildcard VS enabled on their respective VLANS with pool members being the firewall self ips

 

 

b) All server gateways point to the firewalls (one-arm implementation.

 

 

c) SNAT automap enabled on the respective VS's (at least on the ones i did for internal user segment).

 

 

d) Currently running on v10.0.0.1

 

 

I'm not given much visibility on the apps running on Customer & Partners segment as it is handled by different team and vendor, but it seems that disabling the system wide auto last hop got it working, at the cost of my apps.

 

 

Things i noticed :

 

 

a) Apps are functioning properly if i accessed via the same subnet but not from an external segment.

 

 

b) I'm not able to Ping to the F5 VS and Self IP's but i'm able to ping the internal pool members. Traceroute shows traffic stopping at the 20.20.20.1 firewall.

 

 

c) Apps function normally when auto last hop is enabled

 

 

d) Tried to enable "Last hop pool" settings with pool member being the internal firewall gateway but to no avail.

 

 

Kinda stumped now on this issue , so would appreciate any feedback on how to solve this. Feel free to ask if you need further clarification.

 

 

Thanks in advance