Forum Discussion
Do the servers use the F5 as their default gateway (or have proper return routing to the F5 configured) ? If not, you'll need to apply a SNAT configuration to the VIP so return traffic is properly routed back to the backend server. SNAT with automap would be the most basic configuration that will likely get this to work, this setting is on the VIP configuration screen.
A basic overview of how this could be failing: you're looking at an asymmetric traffic path where your server 10.185.172.212 is sending traffic to the VIP 10.185.172.80. The F5 proxies that traffic but maintains the source IP of 10.185.172.212. When responses are sent back to the originator, the backend server will use the default gateway to return traffic back to the source IP (which is likely NOT the F5 in this case). SNAT will cause the F5 to use a self-IP as the originating IP address, which will cause return traffic from the backend server to be sent back to the F5 and on back to the original client.
Hope this makes sense, it was written quickly. I can break this down further if you'd like.
One downside to SNAT is that you can lose the original IP address in the backend server logs (if it's a webserver), but this can be remedied by using x-forwarded-for headers (which is an option in an HTTP profile on the F5).
- ParthPSep 07, 2016Nimbostratus
we are using F5 as the GW for the Internal Subnets. during troubleshooting i also applied Snat Automap to the VIP 10.185.242.80, still got same error. "ARServer (): ERROR (91): RPC call failed; 10.185.242.80:5590 ONC/RPC call timed out"
application that is running on these VIPs is BMC Remedy, i dont know if that helps.
Thanks for the answer.
- AJ_01_135899Sep 07, 2016Cirrostratus
Do you have any monitoring on the pool members, and are they showing as up? Can you telnet to the frontend VIP:port from the source device?
- ParthPSep 07, 2016Nimbostratus
pool members are up and running. since the members are setup with port 5590 it has standard TCP monitors on them. i can telnet to VIP without any issues. it is just accessing the VIP from 10.185.172.212/213 is the problem.
i have opened F5 support case and we took a few captures, however we were not able to determine root cause for this behavior. we also enabled SNAT but that did not resolve anything.
- ParthPSep 08, 2016Nimbostratus
hi all, just wanted to give update on this.
we had HTTP profile enabled to the VIP 10.185.242.80 after disabling the HTTP profile to VIP, everything worked perfectly.
thank you very much for everyone's help.
- AJ_01_135899Sep 08, 2016Cirrostratus
Thank you for the update, glad it's working!