Forum Discussion

Neil_Marks_2466's avatar
Neil_Marks_2466
Icon for Nimbostratus rankNimbostratus
Dec 06, 2016

Virtual Server IP address on F5 not accessible outside of the F5 itself???

I have two Lab F5 running in AWS as prototype lab. The 1st F5 which I am calling the external F5 currently can route http to an inner web server which goes through to a app server and I have this setup up for a couple of applications/services. Now I have built the 2nd F5 as an internal F5, so this internal F5 I am looking to use as an internal load balancer for app traffic. I have set up virtual servers and monitors which all work ok on this F5 outbound to the app layer. The issue I have is that the virtual server IP addresses I have defined are NOT accessible outside of this internal F5?? I have several subnets setup within AWS and the internal F5 has an interface on a subnet for incoming traffic from the external F5 (10.0.6.x) and an interface on the application subnet (10.0.2.x). So for example, the external i/f is 10.0.6.222 for the internal F5, I defined a virt server on this F5 at 10.0.6.224 which connects up to a back end app server (say 10.0.2.118) ok - i.e. i have a monitor associated to the pool member for this vs which is GREEN. Yet on another server on the SAME 10.0.6.x subnet I can't ping the 10.0.6.224 ... but I can the 10.0.6.222 address. From the external F5 I also can ping the 10.0.6.222 address but not the 10.0.6.224... ?!?!? There must be something obvious which is causing this but I can't for the life of me figure out what? The external F5 has a similar setup yet I can ping the ip addresses of the virtual servers defined on this F5 ok... Both F5s are running Version 11.5.4 Any suggestions of where to look for resolving this??? Many thanks Neil

 

12 Replies

  • You said the internal virtuals servers all work fine outbound to the app layer. Does this mean they are listening on the internal interface? If thats the case then they would not be accessible from the external network. A topology diagram and tmsh list ltm virtual would be useful.

     

    • Neil_Marks's avatar
      Neil_Marks
      Icon for Nimbostratus rankNimbostratus

      Still working on trying to figure out what is happening. I've attached a diagram showing a highlevel the subnets and the F5s along with a web server and application server. The External F5 -> Web Server -> App Server route is all good. I have defined a virtual server on the internal F5 which connects to the same app server (runs a simple jboss6 app on port 10080) and the virtual server/pool/member shows available (green) but I can't get through to the application from this internal F5. The ip address for the virtual server 10.0.6.224 is not accessible outside of the internal F5 (can only ping it on the server itself). Topology diagram:

      The tmsh list ltm virtual output is here:

      ltm virtual opal-instance1-vs {
      description "Virtual server for Opal services on instance1"
      destination 10.0.6.224:http
      ip-protocol tcp
      mask 255.255.255.255
      pool opal_instance1-pool
      profiles {
          http { }
          tcp { }
      }
      rules {
          Pool_Status
      }
      source 0.0.0.0/0
      source-address-translation {
          type automap
      }
      vs-index 3
      }
      `
      
      
      The Pool_Status rule will fire if I issue curl [http://10.0.6.224/Pool_Status](http://10.0.6.224/Pool_Status) on the internal F5
      
      
      `* About to connect() to 10.0.6.224 port 80 (0)
      *   Trying 10.0.6.224... connected
      * Connected to 10.0.6.224 (10.0.6.224) port 80 (0)
      > GET /pool_status HTTP/1.1
      > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3    libidn/0.6.5
      > Host: 10.0.6.224
      > Accept: */*
      >
      * HTTP 1.0, assume close after body
      < HTTP/1.0 200 OK
      < Content-Type: text/html
      < Server: BigIP
      * HTTP/1.0 connection set to keep alive!
      < Connection: Keep-Alive
      < Content-Length: 199
      <   
      * Connection 0 to host 10.0.6.224 left intact
      * Closing connection 0
      BIGIP Pool Status - Wed Dec 07 09:32:07 GMT 2016 UP - /Common/opal_instance1-pool
      

      And I can also get through to the application via the same route but from only on the internal F5 -

      [root@ltm-int:Active:Standalone] config curl http://10.0.6.224/lab/v1/monitors {"serviceStatus":"up","networkStatus":"up","dbStatus":"up"} [root@ltm-int:Active:Standalone] config

      But anywhere outside of this internal F5 itself - the 10.0.6.224 address is NOT accessible..

      Does this more detailed information help?

    • Neil_Marks's avatar
      Neil_Marks
      Icon for Nimbostratus rankNimbostratus

      Missed a line from the web server to the inner subnet - as it needs to route traffic from 10.0.6.x onto 10.0.2.x... but this is not part of the problem... just for completeness

       

  • See the comment to the answer below... topology diagram included...

     

  • Ok - so further investigation has highlighted where the problem lies I think. The web server has a n/w interface on the 10.0.6.x subnet... and this web server has some additional virtual ip addresses which it manages. What appears to have occurred is that at ARP layer - the servers existing servers on the 10.0.6.x subnet attempt to route traffic for the 10.0.6.224 address to the n/w interface on the web server - this is seen by looking at the ARP output on each of the servers... only the internal F5 shows the mac address of the interface on the F5???

     

    Next question is to be understand why this scenario is happening...

     

  • so,

     

    please check L2 switch port and mac address table ! please check L3 router and arp table. do you have port lockdown on any port of F5 ?

     

    and try a tcpdump : tcpdump -e -A -s 500 -i any arp

     

  • Well it turns out I missed a step in the internal LTM setup - adding the virtual ip address to the required network interface via the AWS console! DOH... Issue resolved.

     

  • Don't forget to add the vip at the n/w interface via the AWS console!!!