Forum Discussion

Tom_Butler_1775's avatar
Tom_Butler_1775
Icon for Altocumulus rankAltocumulus
Feb 02, 2018
Solved

Port Forwarding from VS to Pool

I am attempting to set up a new Virtual Server to listen on and forward to a pool member on port 4002, I have the VS, The Pool, and the member server all green. I can telnet to the member server in the pool on port 4002, however when I attempt to telnet to the VS on 4002 (which is set to listen on all * ports) there is no successful connection. The IP address of the member server is the VIP for a MS Cluster for two HA servers. I have attempted to do the same work using the actual IP address of the VM server listening on 4002. I know that it is something simple, perhaps an iRule, or a profile that I am missing, any help would be very much appreciated.

 

application delivery
BIG-IP
  • Tom_Butler_1775's avatar
    Tom_Butler_1775
    Feb 05, 2018

    We have this resolved. Initially it was necessary to add the new vlans to the port channels used for the f5 to communicate with the balance of the application infrastructure. Once this was accomplished and irule to limit the VS to the specific ports required for application delivery was applied and finally to insure IP persistence through the entire data flow for the application the default gateway for the application servers had to be set to the float ip for the VLAN on the application servers, routing return traffic back through the BigIP.

     

4 Replies

Sort By
  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Feb 03, 2018

    This can be due to multiple reasons. If no SNAT option applied, does your servers has route back to the client subnet? If the VIP and the servers's ip on the same subnet then SNAT/Automap need to be configured. Does your server allows connection from client IP or SNAT/Self IP?

     

    Can you provide VIP config? The packet capture can help much

     

  • Tom_Butler_1775's avatar
    Tom_Butler_1775
    Icon for Altocumulus rankAltocumulus
    Feb 04, 2018

    The scenario is:

     

    Client IP addresses are used by the back end application as a part of their authentication, which means that the client IP address will need to be forwarded through the virtual server to the pool.

     

    An ASA 5585 NAT is passing the client IP addresses into the Virtual server.

     

    The application will need to answer the client on the ports mentioned. I do not have SNAT configured yet, this is a new process for me, and I am looking for the most effective method to achieve the end goal.

     

  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Feb 04, 2018

    The 1st thing you need to check if there is a route on the client side pointing to the VIP IP and if pool members has route back to client's subnet via big-ip

     

    What sort of traffic you are passing? Can you share the VIP config? you can hide any sensitive data like IP. I more interested in profiles and protocol that configured on your vip and type of the vip.

     

  • Tom_Butler_1775's avatar
    Tom_Butler_1775
    Icon for Altocumulus rankAltocumulus
    Feb 05, 2018

    We have this resolved. Initially it was necessary to add the new vlans to the port channels used for the f5 to communicate with the balance of the application infrastructure. Once this was accomplished and irule to limit the VS to the specific ports required for application delivery was applied and finally to insure IP persistence through the entire data flow for the application the default gateway for the application servers had to be set to the float ip for the VLAN on the application servers, routing return traffic back through the BigIP.