Forum Discussion
Mike_Lowell_456
Sep 09, 2005Historic F5 Account
Thanks!
I originally thought to use persistence in this manner, but the problem is actually a bit more complicated than I originally explained.
There are actually two pairs of BIG-IP's load balancing VPN's (one pair on top, one pair at the bottom, like a firewall sandwich), like this:
[BRANCH1] [BRANCH2]
| /
[BIG-IP ext]
| |
[VPN1] [VPN2]
| |
[BIG-IP int]
|
[HQ network]
Also, there are actually 500 branch offices. A VPN tunnel is only established to one VPN at a time, so the only way to get from a given branch into the "HQ network" is via the VPN which has the tunnel established. Similarly, the only way to get to a given branch FROM the HQ network is via the VPN which has a tunnel established.
As you can see, both pairs of BIG-IP's (top and bottom) need to have the same persistence information so they both pick the same VPN, regardless of the direction of the traffic (whether a connection is originated from the branch, or from the HQ).
This is why I thought to use a hash based on the network of the branch office, but maybe there is a better way? My plan was for traffic coming FROM the branch, I would use a rule that looked at the SOURCE network. On traffic going TO the branch, I would use a rule that looked at the DESTINATION network. Both pairs of BIG-IP's would have essentially the same rule, except that one would inspect the source network, while the other would inspect the destination network (in both cases, the branch office network). Does that make sense?
I'm very open to alternate ways to solve this problem. As always, any help is greatly appreciated!
a1l0s2k9