Forum Discussion

mdaghrir's avatar
mdaghrir
Icon for Nimbostratus rankNimbostratus
Mar 28, 2019

Issue with servers on the same subnet as pool of SMTP nodes

We built a load balanced virtual server with three SMTP nodes. All the nodes have a virtual server as their gateway in order to keep the original IP of the client.

 

Everything work perfectly except that other servers in the same subnet as the nodes cannot access SMTP. We attempted to resolve the issue by using an irule that enable SNAT when the client IP is from the same subnet but that resolved the issue only for physical servers, the other virtual servers in Hyper-V were experiencing intermittent connections to the SMTP.

 

I enabled logging on the irule and I see an entry from the virutal server only when the SMTP connection is successful.

 

Anyone has an idea on what maybe the issue?

 

BIG-IP
devops
LTM

1 Reply

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 28, 2019

    Yeah. Presumably the nodes on the same VLAN as the SMTP servers are using the VS to talk to SMTP. So the traffic from client to server goes via the BigIP. However because the SMTP servers are on the same VLAN as the client the return traffic goes direct to the clients instead of via the BigIP

     

    That means the bigip only sees 1 path. And because bigip is a full proxy it wants to see the client to VS as 1 connection and bigip to SMTP as a second connection. Because it only sees half of both, the connections don't work.

     

    You have a couple of choices

     

    1. Implement policy routing on the SMTP servers. Over-ride the return traffic so ALL SMTP traffic goes back via the BigIP and not direct even when the client is on the same subnet. (Presumably you actually mean the SMTP servers have a floating IP as their gateway, not a VS).

       

    2. You could implement the LB as n-path... But that would assume you don't want to do anything with the traffic other than LB'ing it.

       

    3. SNAT the traffic for clients on the same VLAN. That should have worked fine. I'd probably look at it again because intermittent problems sound like something else was broken. Or the SNAT wasn't quite right.