Forum Discussion

Porsha21_316097's avatar
Porsha21_316097
Icon for Nimbostratus rankNimbostratus
Apr 04, 2017

F5 Firewall & Loadbalancer Issue(How to modify source for Health monitor?)

Hi All - Can someone give us solution on this problem/issue.

 

(Diagram for Current Setup - (Current Setup)

 

Server is having this current setup, same box with two or more ethernet/nic with separate subnet IP's. Let say default gateway via IP1, and those via IP2 are just specific static routes going to source IP's(including source nat's/automaps) inside LB.

 

Traffic flow is like this, users from internet access the VS inside LB, it will pass firewall and static route is define inside L3 Switch going to IN of F5 and Source is NAT to either OUT1/OUT2 IP's. If destined to IP1 it will be OUT1 and If destined to IP2 it will be OUT2. Web Srvr will response to OUT1 via default gateway and IP2 via specific static route define inside the server.

 

This is the current setup of the design, wherein Firewall and Lodbalancer(f5) is separate box, separate routing domain.

 

(Diagram for New Setup - (New Setup)

 

This is the new setup, Firewall and Load balancer is now running in same routing domain. Hence we come up with some limitations in respect to the web server current setup.

 

  1. Creating multiple inside interface(interface facing server pools) will create assymetric issue on the firewall.
  2. Health monitor going to IP2 is not comming UP, due to default behavior of F5 load balancer which is egress interface(Self IP) is use for IP2 health monitor, we cannot add static route going to F5 FW/LB egress interface since it will again bring down the IP1.

Since the plan is to replace the firewall and move on same box which is f5(LB/Firewall).

 

Since only health monitor is what we can see the issue for now, Is there a way in F5 platform to change the health monitor source other than the default egress interface base on the routing table.

 

It's something like this, this is the default health monitor behavior "ping IP2", what if there's a way in F5 to use this extended ping "ping IP2 source . We will just use specific interface OUT2 inside F5 for health monitoring.

 

 

Thanks to anyone response on this.

 

ASM Advanced WAF
BIG-IP
devops
security