L2 strange issue

james_72 · ‎07-29-2021

Dear experts

My customer has the following very simple infrastructure:

Internet - Firewall – Lan - Load balancer – Lan – hypervisor- VM

It happens sometime that the VM do not respond anymore to Load balancer for external ip addresses until on the Load balancer it is setted to source NAT (SNAT) the internet traffic and then SNAT it’s removed.

Something like an action that solicit the VM to refresh the arp.

While health check from Loadbalancer to VM in the same LAN subnet never stops to work.

Does anybody ever encountered the same problem on VM environments ?

Any idea ?

Thanks in advance

James

pman · ‎07-30-2021

Hi,

To save time I will ask some questions that may also help you reach a solution, and I will also give some suggestions.

Questions:

1. What type of NLB do you use?
2. If you turn off the SNAT does the VM machine see the original source address of the client?
3. Who is the default gateway of the VM machine ?
4. Is the internal leg of the NLB located on the same network/LAN of the VM machine?

Suggestions:
When you turn off the SNAT the VM sees the original source address of the client, you need to check that the VM machine has routing back to the original source address of the client.

Could it be that the problem is asymmetric routing that maybe the FW is doing DROP on spoofing for example?

In this case you need to add a static routing which points to the VIP of the NLB.
This way you ensure symmetrical route from VM machine back to the client .

In addition health check never stops because the health check was sent from the leg of the NLB. In your case you mentioned that the VM machine is on the same LAN with the NLB, so the effect of settings made at the Virtual server(like the SNAT option) does not affect the health check

james_72 · ‎07-30-2021

Hi

for your questions:

1) it's F5 BIGIP

2) yes

3) the F5 internal backend

4) yes same LAN L2

Thanks