Forum Discussion

js_168189's avatar
js_168189
Icon for Nimbostratus rankNimbostratus
Feb 28, 2019

Health Check when VIP and Node in different VLANS

I have an VIP in one VLAN 192.168.30.x that is a VLAN/DMZ behind a firewall The Nodes for that VIP are in another VLAN/DMZ interface behind the same firewall but different DMZ interface 192.168.10.X VIP is configured using SNAT automap.

 

So health monitor traffic from 192.168.30.x to 192.168.10.x has to go through the firewall for filtering.

 

I will fix this, but for now the health monitors for the pool source self IP 192.168.30.5 and route to the firewall 192.168.30.1 to get to 192.168.10.x since the default route of the LTM is 192.168.30.1.

 

Is this expected behavior? Seems like the health check should source self IP in 192.168.10.x.

 

Also is the behavior of client side traffic goes: -Firewall-DMZ-30--->F5 vip 192.168.30.x---->SNAT--->nodes 192.168.10.x -or- -Firewall-DMZ-30--->F5 vip 192.168.30.x---->SNAT--->FirewallDMZ-10--->nodes 192.168.10.x

 

Please advise

 

application delivery
LTM

10 Replies

Sort By
  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Feb 28, 2019

    This behaviour does indeed sound correct.

     

    The F5 sends health monitor probes from its non-floating self IP on the egress VLAN (i.e. the VLAN on the F5 facing closest to the pool member). Since your pool members sit behind the firewall and not the F5, it will be sourcing the health probes from the front-side VLAN (i.e. Firewall-DMZ-30 - 192.168.30.5) and sending it to the upstream next hop which is the firewall (192.168.30.1). The firewall will then route the traffic to the nodes on Firewall-DMZ-10 - 192.168.10.x

     

  • Anthony_Graber's avatar
    Anthony_Graber
    Icon for Employee rankEmployee
    Feb 28, 2019

    Adding to Michael Saleem's comment. What is your default gateway? Do you have any routes configured for those pool members?

     

  • js_168189's avatar
    js_168189
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2019

    Thanks for the quick responses. We only have one default route static route to 192.168.30.1. There is a self IP in 192.168.10.x, so I think it should use the connected route 192.168.10.0/24 via the self IP?

     

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Feb 28, 2019

    Yes. I would expect the health check probes to be sent directly from the F5 self IP in the 192 .168.10.0/24 network if that’s the case (since it’s a directly connected network)

     

    For client data traffic coming in via the firewall then then the F5 will send the response traffic from the servers back upstream to the firewall.

     

  • js_168189's avatar
    js_168189
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2019

    So client data traffic would not SNAT automap from the 192.168.10.x self IP and drop on that VLAN? It would come from the self IP 192.168.30.x self IP? Thanks.

     

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Feb 28, 2019

    Do you have a simple network diagram by any chance? It may help to give more accurate information and avoid confusion.

     

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Mar 01, 2019

    Thanks for the diagram!

     

    I would expect that the health monitor traffic from the F5 to the servers to be sourced from the VLAN 6 Self IP 192.168.10.5

     

    I would also expect that for client traffic coming through to the virtual server with SNAT automap that the source IP also gets SNAT'd to the VLAN 6 Self IP 192.168.10.5

     

  • js_168189's avatar
    js_168189
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2019

    Thanks for the help. I figured it out. Actually should've taken a closer look. Apparently the VLANs are on the trunk/tagged port at all. They aren't even created on the F5! Turned out to be rather simple, just went about troubleshooting the long way. Have a good weekend..