What does an F5 LTM use as it’s Source IP address to perform healthcheck monitors

I was discussing some F5 LTM Healthcheck Monitor capabilities with a colleague of mine at work the other day, when he brought up a great question.

What does an F5 LTM use for a source IP address when connecting to pool members for the healthcheck monitor service? Especially on a Multi-Network setup.

To answer this question we have to consider the typical LTM cluster set up . Usually set up in pairs of two(2), one acting as an Active unit and the other as Standby unit. Each unit has it’s own Self IP for each “network leg” it is attached to.  The Active and Standby unit also share a “Floating IP address”, which is used for the backend traffic to pool members. But back to the question, let’s use the following example:

Networks:

LTM 1 – Self IPs

LTM 2 – Self IPs

As you can see we have 3 network segments and a single /22 which I’ve designated for VIPs. I’m not sure you would ever segregate this small, it truly depends on your situation and how flat your network is. A Pool Monitor is only unique to it’s monitor type, the target IP address and port are defined by the pool itself.  The source IP address and/or interface the F5 uses to send the Monitor out depends on it’s own routing table and self IP list.  If the Monitor being sent is on either of the F5s self IP networks, it will choose that IP address and interface to send it out. However if neither of the Self IPs are part of the same network as the Monitor being sent out, the F5 will use it’s routing table, and default gateway to send the Monitor and traverse the network to it’s target.

Back to the example:

So, a Monitor request being sent for Member 1 will have the source address of 192.168.0.1 from LTM1 and 192.168.0.2 from LTM2. The Member’s network log will see two identical requests from two different sources, one from LTM1 and one from LTM2. The same goes for Member2, except each LTM uses it’s corresponding source IP on the 192.168.100.0/24 network. The last member, Member 3, does not conform to any of our interface’s networks. Therefore by default the F5 LTM will choose from it’s routing table it’s own default gateway to traverse to the target pool member.

Notes:
The F5 does not use it’s floating IP address to monitor pool members!!

Sources:

There are 4 comments left Go To Comment

  1. FirearmTutorials.com /

    Thanks for sharing this. I’ve been playing with some custom monitors on 11.6 and this makes a lot of sense now.

  2. AJ /

    Thanks for this, so that I’ve understood this correctly, in a HA solution, the health check will be sourced from the self IP’s of the interface the vlan is in both of the ltm’s are correct?

    Next question here is and it’s kind of offtopic but for SNAT automap, am I right in saying the floating IP of the VLAN the VS is in is used for this?

    1. thejimmahknows / Post Author

      Correct. The Self IPs are used by each F5 in the HA pair to conduct and perform health checking independently.

      Yes, SNAT Automap does automatically use the floating address you’ve assigned within the Virtual Server or VIPs VLAN and traffic-group.

    2. thejimmahknows / Post Author

      Yes, SNAT automap uses the floating IP to make the server-side connection.

      See this capture where 10.10.1.101 is the client connecting to the F5 VIP of 10.1.1.50 on port 80. The server-side connection connects using the floating IP of 10.2.2.5 to the pool member 10.2.2.17 on port 80.

      11:58:15.108177 IP 10.1.1.101.57958 > 10.1.1.50.80: Flags [.], seq 4126562:4128010, ack 161, win 23, options [nop,nop,TS val 7147147 ecr 1385591141], length 1448
      11:58:15.108186 IP 10.1.1.101.57958 > 10.1.1.50.80: Flags [.], seq 4126562:4128010, ack 161, win 23, options [nop,nop,TS val 7147147 ecr 1385591141], length 1448
      11:58:15.108240 IP 10.1.1.101.57958 > 10.1.1.50.80: Flags [.], seq 4126562:4128010, ack 161, win 23, options [nop,nop,TS val 7147147 ecr 1385591141], length 1448
      11:58:15.108283 IP 10.2.2.5.48282 > 10.2.2.17.80: Flags [P.], seq 4126562:4128010, ack 161, win 1493, options [nop,nop,TS val 1385591154 ecr 672935845], length 1448
      11:58:15.108287 IP 10.2.2.5.48282 > 10.2.2.17.80: Flags [P.], seq 4126562:4128010, ack 161, win 1493, options [nop,nop,TS val 1385591154 ecr 672935845], length 1448

Leave a Reply