Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Can GTM redirect DNS requests to external host?

Hi,

I am new to F5 BIG-IP equipment and the iRule scripting. Could someone here tell me what I am trying to do is possible?

My GTM controls 2 LTMs to response to HTTP requests on www.foobar.com for load balancing. It all works just fine. When all the virtual servers are above their limit, I want to redirect the HTTP requests to a backup machine [say, 10.1.10.1] which is NOT being controlled by the GTM. So the GTM needs to redirect the traffic to LDNS with the name and/or ip address of the backup machine. Is this possible, or just a very naive question?

I am working on a simple iRule script which will redirect all the traffic to this backup machine, as shown below.

when DNS_REQUEST {
host 10.1.10.1
}

While the HTTP requests are not going through GTM to its virtual servers, it seems they are not being redirect to 10.1.10.1 either.

Could someone tell me what I did wrong?

Thanks,
-Xi
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hello,

To have your backup DNS server answer the DNS request, you will want to use the cname command. Also, instead of using the DNS_REQUEST command which runs before the wide IP looks at the pools available, check out the LB_FAILED command.

In your testing, you should see the cname returned with the dig requests. If not, make sure the iRule is associated with a wide IP?

Thanks.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi,

Thanks for your prompt response. I have got a few more questions.

1. In my configuration, the statistics results on LTM and GTM are inconsistent, more specifically, the number of connections reported on a LTM is different from the number of connections reported on a GTM (through its server statistics) which controls the LTM. Could someone tell me why?

2. I assume LB_FAILED means none of the virtual servers is available, e.g., reaching the connection limits. I used the following syntax

when LB_FAILED {
cname external.foo.com
}

My question is how do I check the cname returned with the dig requests? Can I do it on GTM using BIGpipe console? In addition, I am not able to ping external.foo.com from my GTM, but I am able to ping the IP address corresponding to external.foo.com. Where should I add the name resolution, on GTM or LDNS which direct traffic to the GTM?

3. I saw an earlier post similar to my scenario http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=11153. i found a similar scenario on page 7-2 of 3-DNS Administrator Guide. However, how do I configure if I want to have the round robin instead of topology LB method? The point is I don't want the CDN pool be part of the round robin, it should only be used when no other F5 pool in the wide IP is available.

Thanks,
-Xi
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
A few answers/comments to your questions.

1. The GTM server statistics are gathered through probing. I am not sure why they would be different than LTM statistics, so if it is of concern, you will likely need to open a subcase with support and provide additional configuration information.

2. LB_FAILED means that no answer to the DNS request was provided. The load balancing modes you have selected will determine whether or not an answer will be returned and this iRule will be executed. One thing to note is that your fallback load balancing method is the most important in determining this as some methods will use any pool member possible, even if unavailable (red/yellow). For example, if your wide IP has one pool, you could select the "None" fallback load balancing method to have the iRule executed. If you have multiple pools, I would suggest reading the load balancing section of the manual to determine exactly which load balancing mode to use. Configuration Manual, Chapter 7 – “Using the fallback load balancing method”

In regards to the dig question, you’ll want to make sure you dig from a box that is not the GTM. Your dig command may look like: dig @
This command should clearly return the CNAME as the result instead of a pool member address when the iRule is executed. If you have additional questions about dig, I suggest taking a look at the dig man page. Bigpipe can not be used to do digs with GTM. Also, I’d suggest checking out the DNS & BIND book, Fourth or Fifth edition, by O’Reilly. This should be able to answer any additional CNAME questions you may have.

3. It sounds like the Last Resort Pool feature may do what you are hoping to achieve here. Take a look at the Configuration Guide Manual, Chapter 8 – “Setting the last resort pool”

Thanks.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
My GTM isn't working properly in that the load is not distributed to the two LTMs it's controlling based on the load balance method I chose. In fact, one of the LTM does not get any request from the GTM. Using tcpdump I can observe heavy traffic between the GTM and one of the two LTMs.

I have an additional GTM sychronized with the "Primary" GTM. Before I have this additional/redundant GTM joined the synchronization group, the primary GTM was able to do load balance between the two LTMs using method such as Round Robin. However, after the new GTM joined the group, the system is not working anymore.

How do I take a GTM out of the synchronization group? And if I do need the redundant GTM, how do i do that? I followed Chapter 6 in BIG-IP GTM and Link Controller: Implementations.

Thanks,
-Xi
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
To take your GTM out of a sync group, navigate to the "System -> General Properties -> Global Traffic -> General" page. From this page, disable (uncheck) the Synchronization and Synchronize DNS Zone Files options. You should do this to both GTM machines in the sync group.

In regards to why your resolutions stopped working once you added the second GTM, I’m guessing that it is a simple configuration problem. I would suggest contacting support and allowing them to help you diagnose the problem.

Thanks.
0