Forum Discussion

Steve_Kearns_85's avatar
Steve_Kearns_85
Icon for Nimbostratus rankNimbostratus
Nov 02, 2010

Can the standby LTM access virtual servers?

I have a pair of LTM's in my data center (running BigIP 9.3.0), running as an active/standby pair. My situation is this: I have a virtual server/pool setup for outbound SMTP (for redundancy: I have multiple SMTP services running)--it's members resources are a couple of my application servers. I have configured alertd/postfix on both load balancers to relay outbound alerts to my virtual server for SMTP.

 

 

The problem is this only works on the active load balancer: if I have a pool go down, I receive the alert email from the active LB: but not from the standby LB. mailq on the standby LB shows the emails in the queue, but that the standby LB cannot connect to the configured relay host (the mesage from 'mailq' is essentially (connect to [mailserver vip]: Connection timed out)

 

 

Further tests: from both the active and standby LTM, I can 'ping' the mailserver VIP; however, I can only telnet to the mailserver VIP from the active LTM (not surprising, since it sends emails): on the standby LTM, the telent connection times out.

 

 

Can anyone offer some insight as to why my standby LTM cannot access the virtual server?

 

 

 

Thanks in advance.

 

Steve

 

 

 

 

config
design

7 Replies

Sort By
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 03, 2010
    You should definitely be able to get to it. I'd do a tcpdump of a connection attempt. See if the attempt is dying at the VIP, or at the pool members. Do a tcpdump on the relay host as well to see if traffic is getting there.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 03, 2010
    Ahh... No.... The standby LTM won't be able to talk to the VS's on the active LTM... That hasn't worked since v9 IIRC...

     

     

    Just configure your postfix to talk to an MX load balanced entry for SMTP (Which resolves to all your SMTP relays).

     

     

    H
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 03, 2010
    Posted By Hamish on 11/03/2010 09:16 AM

     

    Ahh... No.... The standby LTM won't be able to talk to the VS's on the active LTM... That hasn't worked since v9 IIRC...

     

     

    Just configure your postfix to talk to an MX load balanced entry for SMTP (Which resolves to all your SMTP relays).

     

     

    H

     

    Why wouldn't it simply talk to its own VS?

     

     

    If 1.1.1.1:25 is the VS, you should definitely be able to telnet to 1.1.1.1:25 from both units. I just tried this for an HTTP VS and it worked just fine from the backup unit.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 03, 2010
    It'll depend on what the routing table says I think whether you connect to the local LTM or connect out the management port... If you do connect to the local LTM, and SNAT is enabled it might (Will probably) work. But then I only use SNAT as a last resort...

     

     

    Without SNAT, the src IP is probably going to be something quite strange (Sorry, at home ATM so can't check what the routing table looks like)... 127.0.0.1 (Loopback) perhaps

     

     

     

    H
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 03, 2010
    Good callouts!

     

     

    Without SNAT, the web server would see the source IP as the self-ip of the LTM, right? In my case, this isn't floating, therefore traffic will make it back properly.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 03, 2010
    It should depend on how the host routing table is setup. (Unless the kernel and/or TMM does something funny).

     

     

    H

     

     

  • Steve_Kearns_85's avatar
    Steve_Kearns_85
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2010
    Well, I haven't made much progress: as suggested, a tcpdump only showed an arp and the proper response (i.e., the vip belonged to the mac of the internal interface on the active LTM). I haven't done any sniffing from the relay host itself (it's a windows machine, so not so easy), but since I'm only seeing an ARP request on the LTM, I don't think I'm going to see anything at the pool member.

     

     

    Just a bit more background: my vip is on my internal interface and is using snat (as it's pool members are on the same vlan). The standby LTM cannot access any of my vips though: I cannot access vips on the external or internal interface. The active LTM though can; I can use telnet to open any vip, on either the external or internal interface.