cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Asymmetric connections: allow both direct access to the real server and the VIP without NAT

Alfonso_3549
Nimbostratus
Nimbostratus
Hi,

 

 

Maybe this has already been adressed before, but I've not been able to find it. Here's the deal: in a route-mode design, with the real servers' default gateway pointing to the F5, how would I enable both direct access to them AND to the VIP address used to load balance them without using NAT?

 

 

With Cisco ACE, this is referred to as Asymmetric Server Normalization, where the servers respond directly to the client by bypassing the ACE. However, the clients traverse the ACE to reach the servers.

 

 

Please help.

 

 

Thank you,

 

 

Alfonso
7 REPLIES 7

hooleylist
Cirrostratus
Cirrostratus
Hi Alfonso,

 

 

For admin access to the servers, you can set up a wildcard virtual server with a FastL4 profile enabled on the VLAN the traffic will come into the LTM on. If you enable Loose Initiation and Loose Close on the FastL4 profile, LTM will not try to manage the TCP connections in its connection table.

 

 

But I'm not sure I understand why you're trying to have the real servers respond directly to the clients (not through LTM) if the servers have LTM as their default gateway. Do you have static routes on the real servers back to the clients through a different router?

 

 

For load balanced traffic, the configuration where the servers respond directly back to the clients is called nPath in the F5 world. You can search AskF5.com for details on configuring this. It doesn't sound like you're asking about direct server response for load balanced traffic though.

 

 

Aaron

Alfonso_3549
Nimbostratus
Nimbostratus
Hi Aaron, thanks for the reply. There won't be any static routes in the real servers, they will always use their default gateway when responding to the client. This is, the client request would be going directly to the real servers (not through the LTM) and the server response would go through the LTM back to the client.

 

 

Is this scenario also called npath?

 

 

Someone told us this could be done with the wildcard vserver and the fastL4 profile like you said, but I still don't have it quite clear. I created the wildcard vserver (with no pools assigned to it), then I created a fastL4 profile with the loose initiation and close options and then applied the profile to the vserver. Do I need to do anything else? Is it necessary to modify something in the pools that are used for the actual load balanced traffic like in Cisco?

 

 

I'm intending to test this tomorrow when I have access to the device.

 

Thanks for your help.

 

 

Alfonso

hooleylist
Cirrostratus
Cirrostratus
Alfonso,

 

 

How did your testing go?

 

 

If the clients are on a different subnet than the servers, then you would need to configure LTM to pass the responses back to from the servers to the clients to LTM's default gateway (or other static route). If LTM doesn't see the request, then I think you'll have to use a forwarding VIP with a FastL4 profile with Loose Initiation and Loose Close enabled. Without enabling these options, LTM would not accept the response packets from the server. Enable the VIP only on the VLAN(s) which traffic will come into the LTM on.

 

 

This creates a pretty big hole through LTM, so make sure that you're covering your bases with a well configured firewall between LTM and any insecure network.

 

 

Aaron

Denny_Payne
F5 Employee
F5 Employee

Posted By alflopez on 03/09/2009 4:55 AM

 

PS. I also needed to test the forwarding of multicast datagrams from one vlan to another, but that didn't go well 😕

 

 

 

SOL 9310 has the details on LTM multicast support (Click here), but basically inter-VLAN support doesn't yet exist.

 

 

Denny

 

Alfonso_3549
Nimbostratus
Nimbostratus
Thanks Denny

 

 

Alfonso

rick_17368
Nimbostratus
Nimbostratus
creating a new thread for this.. erasing.. thanks guys.

 

 

ben_123262
Nimbostratus
Nimbostratus
Thanks for this thread - all of these years later it's still helping people convert from Cisco 🙂