I was discussing some F5 LTM Healthcheck Monitor capabilities with a colleague of mine at work the other day, when he brought up a great question.
What does an F5 LTM use for a source IP address when connecting to pool members for the healthcheck monitor service? Especially on a Multi-Network setup.
To answer this question we have to consider the typical LTM cluster set up . Usually set up in pairs of two(2), one acting as an Active unit and the other as Standby unit. Each unit has it’s own Self IP for each “network leg” it is attached to. The Active and Standby unit also share a “Floating IP address”, which is used for the backend traffic to pool members. But back to the question, let’s use the following example:
Networks:
192.168.0.0/24 (Pool Members)
192.168.100.0/24 (Pool Members)
10.0.0.0/22 (VIPs)
LTM 1 – Self IPs
192.168.0.1
192.168.100.1
10.0.0.1 (Identified as Default Gateway in Routing Table)
LTM 2 – Self IPs
192.168.0.2
192.168.100.2
10.0.0.2 (Identified as Default Gateway in Routing Table)
As you can see we have 3 network segments and a single /22 which I’ve designated for VIPs. I’m not sure you would ever segregate this small, it truly depends on your situation and how flat your network is. A Pool Monitor is only unique to it’s monitor type, the target IP address and port are defined by the pool itself. The source IP address and/or interface the F5 uses to send the Monitor out depends on it’s own routing table and self IP list. If the Monitor being sent is on either of the F5s self IP networks, it will choose that IP address and interface to send it out. However if neither of the Self IPs are part of the same network as the Monitor being sent out, the F5 will use it’s routing table, and default gateway to send the Monitor and traverse the network to it’s target.
Back to the example:
Member1 = 192.168.0.4
Member2 = 192.168.100.4
Member3 = 10.32.45.3
So, a Monitor request being sent for Member 1 will have the source address of 192.168.0.1 from LTM1 and 192.168.0.2 from LTM2. The Member’s network log will see two identical requests from two different sources, one from LTM1 and one from LTM2. The same goes for Member2, except each LTM uses it’s corresponding source IP on the 192.168.100.0/24 network. The last member, Member 3, does not conform to any of our interface’s networks. Therefore by default the F5 LTM will choose from it’s routing table it’s own default gateway to traverse to the target pool member.
Notes:
The F5 does not use it’s floating IP address to monitor pool members!!
Sources:
Thanks for sharing this. I’ve been playing with some custom monitors on 11.6 and this makes a lot of sense now.
Thanks for this, so that I’ve understood this correctly, in a HA solution, the health check will be sourced from the self IP’s of the interface the vlan is in both of the ltm’s are correct?
Next question here is and it’s kind of offtopic but for SNAT automap, am I right in saying the floating IP of the VLAN the VS is in is used for this?
Correct. The Self IPs are used by each F5 in the HA pair to conduct and perform health checking independently.
Yes, SNAT Automap does automatically use the floating address you’ve assigned within the Virtual Server or VIPs VLAN and traffic-group.
Yes, SNAT automap uses the floating IP to make the server-side connection.
See this capture where 10.10.1.101 is the client connecting to the F5 VIP of 10.1.1.50 on port 80. The server-side connection connects using the floating IP of 10.2.2.5 to the pool member 10.2.2.17 on port 80.