Forum Discussion

rajeevs_74805's avatar
rajeevs_74805
Icon for Nimbostratus rankNimbostratus
Sep 20, 2012

LTM Configuration - Query

Hi All

 

I have a query regarding the LTM configuration. I have 2 proxy servers in my environment. I would like to loadbalance these 2 server using the BIG IP LTM.

 

The load balancer are located in the segment 10.10.10.x & it has the virtual IP of 10.10.10.1 The physical servers are located in different segment. The IP Address of the physical servers are 20.20.20.1 & 20.20.20.2.

 

Would like to chech the following.

 

1. Is it possible to configure the LB such a way that the virtual IP is from different segment & the physical IP address of the servers are from different segment.

 

2. Even if it is possible i believe the proxy traffic from the user hits the VIP of the load balancer & then it hits the physical IP & it does the load balancing. But the return traffic from the proxy will not be flowing through the LB.

 

The traffic will be bypassing the LB & it is sent to the user. In this case if the user again hits the proxy through LB will the LB allows the traffic or will it block it.

 

To simply it the traffic from the user to proxy flows through the LB but from the proxy to the user the traffic will not be flowing through the LB. Let me know if this can impact the traffic flow

 

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Rajeevs,

     

    1. Yes

     

    2. Looks like you'll get asymmetric routing if the return traffic doesn't return via the ltm. I imagine this is because the proxy sees the client's real address and the ltm isn't inline. I'd add snat to the VIP so return traffic does go back via ltm and then onto the client. Of course, the proxy will lose sight of the client ip address, which may not be what you want.

     

     

    HTH,

     

    N
  • thanks

     

    Yes it is not possible to used SNAT since my clients IP Address will be masked & my proxy will see only the VIP of the LTM.

     

    But would like to understand why LTM will not allow my traffic if the return traffic is not through them.

     

     

    Traffic flow will be like this

     

     

    Client IP -> VIP LTM -> Proxy Physical IP -> Initial Traffic

     

    Proxy Physical IP --> Client IP -> Return Traffic

     

    Client IP -> VIP LTM -> Proxy Physical IP -> Subsequent Traffic

     

     

    Would like to understand why LTM will not allow the subsequent traffic to pass through.

     

    What parameters it checks or what features it checks for this.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Because the ltm is part of a full proxy architecture then it tears down / creates new connections. There won't have been a client/ proxy server connection setup.

     

    You could look to use the xforwarded-for profile to retain client ip.

     

     

    N
  • I understood your point.

     

    Request you to please let me know why LTM will not allow the subsequent traffic to pass through.
  • Rajeevs, when the client connects to the LTM, a TCP connection is established and terminated on the LTM. The LTM then established a different TCP connection to the proxy and passes the client traffic down it. The proxy does not have a direct connection between itself and the client. When the proxy attempts to send the response traffic to the client, it's routed directly back to the client, but as the client does not have an established connection between itself and the proxy (it's connection is with the LTM) it will drop all the return traffic it receives as it's not expecting traffic direct from the proxy. Additionally, the return traffic source IP is not that of the virtual server.

     

     

    LTM Is not disallowing anything but the rules of TCP/IP are, and for good reason really.