Load Balance Outbound Connections

Hi Matt,

 

Without knowing the topology and knowing where the client and SMTP server is in relation to the topology it will be hard to guide as to what you did wrong and which direction we can advise you on this forum.

 

 

CB

 

Right now I am open to advice on best practices. The topology I was using was quite simple.

 

Ex.

 

Mail Client: 10.0.0.10

 

F5 Big IP: 10.0.0.20

 

SMTP Servers: 10.0.0.21-25

 

The SMTP Servers are NAT'd thru the firewall and have public addresses. The topology was flat, I had just created a pool with the SMTP servers and assigned it an IP address on the F5. I pointed the Mail Client to the F5 as the SMTP server. The SMTP servers do not require authentication and this will strictly be for outbound email.

 

Thanks in advance.

 

MAtt

Hi Matt,

 

 

So, what's happening is:

 

 

10.0.0.10 makes a connection to 10.0.0.20. The LTM selects a server, let's say 10.0.0.22, and sends the connection to it. If everything is left at default, the LTM preserves the source address of 10.0.0.10 from the client.

 

 

So, 10.0.0.22 goes to respond to 10.0.0.10, which, since it's on the same subnet, it can do directly without going back through the LTM.

 

 

10.0.0.10 receives the packet from 10.0.0.22 and drops it, because he never opened a connection to 22, he opened it to 20.

 

 

You must always SNAT connections like this to prevent asymmetrical packet path. SNAT will change the source IP to an address that lives on the LTM (you can either define an address or use Automap, which uses the self-IP of the LTM). That way, when 10.0.0.22 goes to respond to the client, he thinks it's the SNAT address and therefore sends the response back to LTM, which in turn responds back to the client, which is where the client expects the response to come from.

 

 

Denny