cancel
Showing results for 
Search instead for 
Did you mean: 

Simple balancing doesn't work

LucasRey
Nimbostratus
Nimbostratus

Good morning community, I have to configure, for my work, a F5 VE. So, I download F5 VE 13.1.4 in my lab @home and install it on VMWare to make practice and understand the F5 basics. What I did is configure internal and external network VPN and assign related IP. Then Pool/Nodes and a Virtual Server listening on port 5000.

Image 005.png

Everything looks good:

Image 004.png

From F5 I can reach both nodes, even with a simple telnet on port 5000. From external network I can reach external F5 interface. The problem is that F5 doesn't route connection to the pool.

This is my network topology:

Disegno1.png

As I wrote, external network can reach VSERVER at 10.3.0.100 on port 5000. Then from F5 I can reach nodes in the pool always on port 5000. The problem here is when from a client (external network) I try to connect to VSERVER, it seems the connection is ESTABLISHED for a while, but not forwarded to internal network.

While I tried to establish a connection from a client from external network (10.3.0.128), this is what happen:

 

    1   0.000000   10.3.0.128 → 10.3.0.100   TCP 70 61440 → 5000 [SYN] Seq=0 Win=64240 
    2   0.000219   10.3.0.100 → 10.3.0.128   TCP 66 5000 → 61440 [SYN, ACK] Seq=0 Ack=1 
    3   0.002661   10.3.0.128 → 10.3.0.100   TCP 58 61440 → 5000 [ACK] Seq=1 Ack=1 
    4   0.006505   10.3.0.128 → 10.2.0.129   TCP 66 61440 → 5000 [SYN] Seq=0 Win=4380 
    5   0.059742   10.3.0.128 → 10.3.0.100   IPA 115 unknown 0x30 
    6   0.059768   10.3.0.100 → 10.3.0.128   TCP 58 5000 → 61440 [ACK] Seq=1 Ack=58 
    7   3.003461   10.3.0.128 → 10.2.0.129   TCP 66 [TCP Retransmission] 61440 → 5000 [SYN] Seq=0 Win=4380 Len=0 MSS=1460 SACK_PERM=1
   10  12.004963   10.3.0.100 → 10.3.0.128   TCP 113 5000 → 61440 [RST, ACK] Seq=1 Ack=58 
   11  12.004980   10.3.0.128 → 10.2.0.129   TCP 106 61440 → 5000 [RST, ACK] Seq=1 Ack=1

 

 

I'm getting crazy since configuration should be ok, could someone help me?

Thank you very much,

Lucas

 

 

1 ACCEPTED SOLUTION

Hi Lucas,

Is SNAT active on the virtual server? If SNAT is not active, your connection may fail due to asymmetric traffic. When you telnet over the CLI, there is no connection problem because the source IP is F5. The same goes for monitor requests.

K7820: Overview of SNAT features:
https://support.f5.com/csp/article/K7820

View solution in original post

2 REPLIES 2

Hi Lucas,

Is SNAT active on the virtual server? If SNAT is not active, your connection may fail due to asymmetric traffic. When you telnet over the CLI, there is no connection problem because the source IP is F5. The same goes for monitor requests.

K7820: Overview of SNAT features:
https://support.f5.com/csp/article/K7820

HI Enes_Afsin_Al, thank you for reply.

I read the page you linked me, and understand the concept behind SNAT, now is working. What I did is create a simple SNAT where external network 10.3.0.0/24 is translated to 10.2.0.3 (so the internal F5 interface), so that NODE can reply.

Before SNAT, I did a trace on one of the server NODE and I can see:

Image 001.png

So, node receives SYN from external client (10.3.0.128) but is not able to reply since NODE cannot reach that IP. That's probably the reason because it doesn't work.

After using SNAT, NODE receives packet from internal F5 interface IP and is now able to reply to that interface:

Image 003.png

Am I right? Is what i did correct?

./Lucas