Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

GTM hands out private IP addresses, need it to hand out public/translated IPs

I want the GTM to balance on a pool of servers that are behind a firewall at a remote data center:

Server A has private IP 192.168.1.1, translated IP 198.19.1.1
Server B has private IP 192.168.1.2, translated IP 192.19.1.2
Server C has private IP 192.168.1.3, translated IP 192.19.1.3

The GTM needs to monitor the servers using private IP, as there are two healthchecks. The first is to do a basic check of port 443. The second is to check Tomcat in port 8080, which is not reachable via the public IP.

I've added the servers (being sure to fill out the translated IP address), created the pool, then created the WideIP. However, I always get back the private IP of the server.

It seems like in the server, pool, or wideIP configuration, there should be a checkbox to hand out the public IP addresses. What am I missing?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If I understand your description then the addresses are backwards. The address field in GTM is the public IP and the translation field is the private IP. GTM resolves using the address field and the monitors also test the IP in the address field so in your case GTM would not be able to check port 8080 on the pub IP.
I have not tested this (pretty sure it will work) but you might be able to work around this by creating two servers/virtual servers, one for the public IP and the other for private. Then in the public virtual server properties set virtual server dependency so it depends on the private addr virtual server. Assign you monitors so that if the private VS is unavailable then the public VS will be marked down also.

1
Comments on this Answer
Comment made 28-Oct-2015 by SureshSKS 0
Thanks Scott . I have the same scenario and I have configured Public IP in the address field , 443 in the service port and https as health monitor, but the VS are showing down. I checked and confirmed the connectivity from GTM to VIP in the LTM (telnet to Public IP with port 443); but still the VS are showing down. Can you please give some inputs.
0
Comment made 03-Nov-2015 by G. Scott Harris 1682
GTM monitors are more complex than you might think. See this thread for a discussion of monitor behavior: https://devcentral.f5.com/questions?pid=42174
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The translation in GTM is for GTM communications only. Not for affecting the addresses that GTM hands out. It's a small distinction, but important... You only use them if there's a NAT between the GTM and the LTM (Or other device) that's serving the VS's.

If you want to translate the addresses that GTM gives you, you need to do that externally, OR with an Rule (There's an LTM Rule that translates GTM addresses in the DNS response on codeshare... Which I'd provide a link to, but some kind soul has re-organised it, and I can't seem find my way around any more...).

H

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Ahh... Here's the Rule... GTM Translate...

And a discussion about it (Extra info on where I managed to confuse others -> https://devcentral.f5.com/questions/gtm-irule-split-dns

H

0
Comments on this Answer
Comment made 07-Apr-2015 by SureshSKS 0
Thanks Hamish for the iRule Can you help me to create iRule for the GTM Translation for only the DNS response from public IP Thanks Suresh
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You're right; I had it backwards. Translation is the internal/private/real IP, whereas address is the external/public/mapped IP.

Image Text

So the good news is the GTM now hands out the public IPs.

The bad news is I need the Tomcat healthcheck to use the internal IP, since Tomcat is not exposed to the public. I can't find any way to force this. Going to ask F5 support.

0
Comments on this Answer
Comment made 02-Apr-2015 by G. Scott Harris 1682
To test the private IP:tomcat you can create a virtual server for the private IP and apply the monitor there. This VS would not be in a wip pool, it is only for monitoring. Then in the public VS properties add the private VS to the dependency list. Now if pirvate IP:tomcat VS is down the public VS will also be down. Another method would be to create a monitor and configure the alias address and alias service port to test the private IP and Tomcat port. Then assign that to the public VS. With this second method you won't need to create the second private VS.
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks for the response. It sounds like using Dependencies for the server is what I want.

For the second method, I would have to create a separate monitor for each server, correct? Monitor_1: Alias address 192.168.1.1, Monitor_2: Alias address 192.168.1.2, etc

0
Comments on this Answer
Comment made 02-Apr-2015 by G. Scott Harris 1682
Correct, one for each pri IP:port you need to check.
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you have https on the front end and 8080 on the back end servers, that implies that you are load balancing with what? F5 LTM? If so then the LTM is the one who is doing the health checks against the back end servers on 8080, and via iQuery will communicate to the GTM if any of them are down. Unless I am missing something. If you wanted the GTM to directly query the back end servers, does it have a route to their private IPs?

0
Comments on this Answer
Comment made 5 months ago by John Heyer 400

In this case the servers were in a remote data center managed thru a partner, and there was no LTM. The servers ran Apache Proxy on port 443 were being accessed via NAT translations on a Cisco ASA firewall. 8080 was the app port, and was not exposed to internet. The GTM had access to the server private IPs via VPN.

But all moot now since the data center got an LTM in 2016 and then was retired in 2017.

0