Forum Discussion

ParthP's avatar
ParthP
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Back-End pool member has trouble connecting to VIP

Hello,

 

currently we have active/passive (HA PAIR) load balancers with 2 arm config. for our external we use /23 VLAN and for our Internal we use /22 VLAN which is broken in to /28 sub vlans.

 

we are having issues with 2 VIPs.

 

VIP 1 VIP IP 10.185.242.79:443 Pool members 10.185.172.212:443 and 10.185.172.213:443

 

VIP 2 VIP IP 10.185.242.80:5590 Pool members 10.185.173.152:5590 and 10.185.173.153:5590

 

issue is servers 10.185.172.212 and 10.185.172.213 can not access the VIP 10.185.172.80

 

everytime servers try to access the VIP connection times out.

 

however, servers 10.185.172.212 and 10.185.172.213 are able to access servers 10.185.173.152 and 10.185.173.153 directly.

 

going thru the VIP connection times out.

 

there are no FW between the back-end pool member and VIP.

 

this is my first time asking the question, so any help is appreciated. if you have any questions/ please let me know. i really appreciate your help on this.

 

Thanks.

 

6 Replies

  • Do the servers use the F5 as their default gateway (or have proper return routing to the F5 configured) ? If not, you'll need to apply a SNAT configuration to the VIP so return traffic is properly routed back to the backend server. SNAT with automap would be the most basic configuration that will likely get this to work, this setting is on the VIP configuration screen.

     

    A basic overview of how this could be failing: you're looking at an asymmetric traffic path where your server 10.185.172.212 is sending traffic to the VIP 10.185.172.80. The F5 proxies that traffic but maintains the source IP of 10.185.172.212. When responses are sent back to the originator, the backend server will use the default gateway to return traffic back to the source IP (which is likely NOT the F5 in this case). SNAT will cause the F5 to use a self-IP as the originating IP address, which will cause return traffic from the backend server to be sent back to the F5 and on back to the original client.

     

    Hope this makes sense, it was written quickly. I can break this down further if you'd like.

     

    One downside to SNAT is that you can lose the original IP address in the backend server logs (if it's a webserver), but this can be remedied by using x-forwarded-for headers (which is an option in an HTTP profile on the F5).

     

    • ParthP's avatar
      ParthP
      Icon for Nimbostratus rankNimbostratus

      we are using F5 as the GW for the Internal Subnets. during troubleshooting i also applied Snat Automap to the VIP 10.185.242.80, still got same error. "ARServer (): ERROR (91): RPC call failed; 10.185.242.80:5590 ONC/RPC call timed out"

       

      application that is running on these VIPs is BMC Remedy, i dont know if that helps.

       

      Thanks for the answer.

       

    • AJ_01_135899's avatar
      AJ_01_135899
      Icon for Cirrostratus rankCirrostratus

      Do you have any monitoring on the pool members, and are they showing as up? Can you telnet to the frontend VIP:port from the source device?

       

    • ParthP's avatar
      ParthP
      Icon for Nimbostratus rankNimbostratus

      pool members are up and running. since the members are setup with port 5590 it has standard TCP monitors on them. i can telnet to VIP without any issues. it is just accessing the VIP from 10.185.172.212/213 is the problem.

       

      i have opened F5 support case and we took a few captures, however we were not able to determine root cause for this behavior. we also enabled SNAT but that did not resolve anything.