Forum Discussion

Jason_C_124489's avatar
Jason_C_124489
Icon for Nimbostratus rankNimbostratus
Mar 08, 2013

Configuring F5 virtual server for EPM LWA(internal VIP) calls

Oracle EPM 11.1.2.1 installation with 2 highly available web servers [web01 = 10.10.10.1 & web02 = 10.10.10.2] on a web VLAN that is shared with the F5 [10.10.10.10].

 

External VIP [an external network IP] receiving client requests on external network interface is configured to a virtual server with a pool that is the 2 web servers above. The F5 offloads this SSL traffic before passing for load balancing.

 

Internal VIP [10.10.10.5] is another virtual server which is configured to receive web server requests on port 80 for these to be load balanced to the same two web servers (so effectively, the HTTP call could be returned to the same server that originated it (in our testing we specifiied only the other web server for now).

 

When we test, we point our browser to the internal VIP FQDN which resolves to the correct (.5) IP address, but it takes ages for the page to load - and only that which loads (content missing and incorrectly placed in browser). Traces on F5 showing loads of resent requests etc. suggesting the traffic is not getting through as it should.

 

I don't have access to the F5, but I have been assured the virtual server and pool are pretty basic configurations - nothing too fancy.

 

So, the question at this point is can the F5 work in such a manner?

 

 

We have another route which bypasses the F5 and terminates at the firewall in front of the F5. We had configured the internal VIP with an IP address on the network that is the same as that of the external VIP. The servers have a default gateway configured to route the internal VIP traffic via the firewall which then passes the requests onto the i-VIP with a 'north side' IP address. In this configuration, the webpages are instantly returned to the web server's browser!

 

Also, with the i-VIP configured with a web VLAN address, we are unable to ping it (ICMP is enabled). We are also unable to ping the F5's interface IP address on the web VLAN. However, as there is a 2nd F5 set up in active/passive failover ... we can ping it's internal interface IP AND we can ping the floating IP. Each F5 can ping ALL of the other F5's IP too. However, both of our web servers cannot ping the two IPs mentioned above.

 

Both F5s can ping both servers.

 

There are no firewalls between the F5s and the web servers.

 

Thanks.

 

oracle
partner

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 08, 2013
    When we test, we point our browser to the internal VIP FQDN which resolves to the correct (.5) IP address, but it takes ages for the page to load - and only that which loads (content missing and incorrectly placed in browser). Traces on F5 showing loads of resent requests etc. suggesting the traffic is not getting through as it should.where did you test from? was it internal or external vlan?

     

     

    I don't have access to the F5, but I have been assured the virtual server and pool are pretty basic configurations - nothing too fancy.i think it might be easier if you can post configuration.

     

     

    Also, with the i-VIP configured with a web VLAN address, we are unable to ping it (ICMP is enabled). We are also unable to ping the F5's interface IP address on the web VLAN. However, as there is a 2nd F5 set up in active/passive failover ... we can ping it's internal interface IP AND we can ping the floating IP. Each F5 can ping ALL of the other F5's IP too. However, both of our web servers cannot ping the two IPs mentioned above.you are not using packet filter (in bigip), are you?
  • Jason_C_124489's avatar
    Jason_C_124489
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2013

    Thanks for your reply.

     

     

    The test is from the web servers to the internal VIP. So, effectively, from the web servers the traffic targets this i-VIP which then should load balance to the pool members (the same web servers) and direct the traffic back to the web servers again.

     

    I might be able to post the config, but I will need to try get that from the client (and replace all the client specific info).

     

    I am not sure ... I have enquired and am awaiting a response.

     

     

    Jason