Tom_Bell_15050
Jun 29, 2010Nimbostratus
Issues getting second F5 to answer on real world IP
We have a mirrored configuration. Namely an ASA forwarding traffic to a F5 serving traffic from a pool of nodes behind it.
At one site we've successfully setup and tested the following.
(172.b.x.x) (203.x.x.x/32) (172.a.x.x)
(INTERNET) <<-->> ASA <<-->> F5 (With real world IP) <<-->> Pool (Different 172 network)
The entire /24 real ip range has been delegated to the ASA and it's forwarding those real IP's on 80 & 443 through to the F5. Between the F5 and ASA is a 172 network we use for routing. The F5 has a VIP listening on one of these real world IP's and happily answers traffic and serves content. This F5 behaves as expected with both SNAT on or off as well as being able to use SNAT pools easily.
Our second site has the same physical hardware yet is behaving differently.
Namely we are able to use tcpdump on the F5 .. and see the traffic on the relevant vlan coming in. Yet the traffic is never answered by the VIP or forwarded to the relevant pool. Yes we are using a different /24 subnet of real world IP's. And yes the subnets at each site do point at the relevant kit as their default gateway.
We've gone through every possible setting on both the firewalls and F5's the only difference being an incredibly minor version difference on firmwares on the F5 namely BIG-IP 9.3.1 Build 69.0 (working) vs BIG-IP 9.3.1 Build 58.0 (not working).
We are running F5 LTM 9400's.
To complicate matters .. both F5's are currently serving farms of content just on 172 IP's that have been natted by the ASA's rather then our preferred method of the 203 IP's being on the F5's.
If there's anything else anyone can think of for me to check that would be awesome.
Thanks
Tom