Forum Discussion
8 Replies
- pete_71470CirrostratusCan you set F5 as the default gateway for the pool members? You might also try nPath; that works as long as those running the pool members remember to setup the VIP address on a non-arping loopback. With a Unix-like OS like Linux you can use the 'ip' command to set up multiple routing tables, each with its own default gateway, using 'ip' or iptables to glide node member egress traffic toward the interface primed to deliver to F5.
- Chris_OlsonNimbostratus
Please help, I may have the same issue.
We are having issues with client connections in our new HL7 environment.
We set up multiple clients on the same VIP and same pool member on the F5.
Each client has their own port which is how we keep them separated
Clients are using a site to site VPN to connect.
This worked when we tested over the internet. The only difference is that we are using a site to site VPN.
Clients claim they do not get an acknowledgement when they send a message. The external firewall shows that we are indeed sending an acknowledgement. Also, a simple telnet from the client to the VIP over the port specified shows they are indeed connected.
However, when I run wireshark on the HL7 server that sits behind the F5 and filter by the client’s port, I see nothing. If it’s not getting to the server, what is responding? The F5? I fear it may be a SNAT issue but we are using SNAT automap.
Can someone more clearly define how the F5 handles this traffic once it hits the F5? Should I be able to see the clients address and port on the server or does the F5 hide that information?
virtual HL7_Client1 {
snat automap
pool pool_hl7_Client1
destination 205.xxx.xx.xx:8888
ip protocol tcp
persist source_addr
profiles {
Http_compression {}
tcp {}
}
}
virtual HL7_Client2 {
snat automap
pool pool_hl7_Client2
destination 205.xxx.xx.xx:9999
ip protocol tcp
persist source_addr
profiles {
Http_compression {}
tcp {}
}
}
pool pool_hl7_Client1 {
lb method member least conn
action on svcdown reselect
monitor all gateway_icmp
members 10.10.10.10:8888 {}
pool pool_hl7_Client2 {
lb method member least conn
action on svcdown reselect
monitor all gateway_icmp
members 10.10.10.10:9999 {}
- What_Lies_Bene1CirrostratusChris, the server-side SNAT source port won't match the clients original source port perhaps. You might want to try modifying the SNAT Source Port Preservation setting and changing it to Preserve - Strict, however this can have it's downsides.
- Chris_OlsonNimbostratus
Thanks very much. At least I know why my packet captures are not showing anything on the server. I have to prove to our Dev group that the traffic is actually getting to the server. Can you please give me a breif description of what the F5 does to the traffic so I can explain this to them?
- Mike_73765Nimbostratus@Pete: no, we cannot have the pool member's default gateway be the bigip.
- Mike_73765Nimbostratus@Pete: no, we cannot have the pool member's default gateway be the bigip.
- pete_71470CirrostratusThere are a number of threads concerning the node-gets-src-ip topic, including at least one with helpful ideas from Aaron (from some time ago):
- HamishCirrocumulus