Forum Discussion
davidy2001
Cirrus
CirrusDestination address at F5
Hi I have question when I create virtual server. Please see the below sreenshot where there is "Destination Address/Mask". Is this address gateway located at outside of the F5 or address of the virtu...
Hi davidy2001 ,
> ICMP option is on virtual address list tab , see the below snap shot :Select your virtual server address and you will find the ICMP option and make it " disabled".
and try again.
> Or do it Cli ,
write this command on Tmsh prompt
( modify ltm virtual-address 10.0.30.254 icmp-echo disabled )
and try again
Look to this snap shot as well :Hi davidy2001 ,
it is not weired , each virtual server is only responsible for its nodes and when you disable icmp echo on " 10.0.30.254" virtual server this option is related only to this virtual server , and other virtual servers do not impacted by your change , you will find the option of icmp-echo still as default always on all virtual servers except " 10.0.30.254 virtual server "
> For command , you wrote the command wrong , you need to write 10.0.30.254 instead of 10.0.30.1.
> this a special configuration for your environment , as the most deployed that F5 as a loadbalancer servers real servers not routers but of course everything is doable and available in F5 to handle your traffic on the way you want.
- my configuration was a workaround for your environment and " this virtual server 10.0.30.254" is the only object will be impacted to solve your issue with routes , and the rest of your applications and services run without impact.
Tydavidy2001 ,
Also Note , When you change the virtual server IP only , the new virtual address added in statistics Page , Also you will find the in new virtual address the ( " icmp-echo" option returned to " always" ) again , so you will change it again.
> it is not good to change the virtual server ip address , you can create a new one instead of swapping ip , because existance of active session.
> Also , if you follow the scenario of swapping virtual server ip , run this command
" show sys connection cs-server-addr" , it will show to you that the traffic flow is correct and as expected.
Tydavidy2001In all honesty if you are trying to figure out how the BIG-IP works I would configure VMs behind it rather than routers because it seems like you would want to use the BIG-IP in the closest way you intend to in the future. Most deployments of the BIG-IPs are for websites and applications rather than ICMP to routers. Don't get me wrong here because you can do all sorts of things on the BIG-IP but if your intent is to learn it I think the best way to start is the closest thing that everyone typically uses them for which is application load balancing or website load balancing. You can perform tcpdumps on the BIG-IPs to see traffic traversing it as well as a wireshark (windows) or tcpdump (linux) on the destination servers to see the traffic flow. This is a great exercise that you posted just to learn something one off but not where I would have started to learn about them.
Hi davidy2001 ,
How are you ,
> you need to remove TCP profile and choose all protocols , because you are transferring icmp packets not a connection based on TCP :
check the below snap shot and tell me your feedback :Hope this help you and waiting your response.
Hi davidy2001 ,
well ,
> you do not see the ICMP packet in internal nodes " 2 routers (2725-2 , 2725-3 ) " because F5 appliance itself responds to icmp packets and never let it pass to your routers in the orther side , this is the default behavior of F5 system.
in this Case we need to change some configuration over the virtual server it self , and make F5 to not take any action or responds to Ping packets.
> Firstly , Configure your virtual serevr " ping-vs" as below :
you can let its type as standard or performance layer 4 , but I prefer performance layer 4 because there is no need to make it standard.
> After that , go to ( local traffic > on virtual server Tab , Choose virtual address list > select your Virtual server which behind it your routers " 10.0.30.254 ". }
and change (" icmp echo " as disabled ) you will find it " Always" by default .
so , your Configuration should be like this :
Click Update and exit.
> Try to ping your virtual server" 10.0.30.254" again , it should pass this traffic to one of your " internal nodes routers ( 10.0.20.2 , 10.0.20.3 ).
Also Check this snap shot from my lab enviroment :
( my pc ip : 10.10.10.1 , tries to ping "10.10.10.5" the virtual server that I attached in first snap shot , 30.30.30.2 is the seld ip address in the internal servers subnet and 30.30.30.30 is my internal node. )
- show sys connection cs-client-addr , is a tmsh script to see the active connections from this ip over my F5 device .
Try to do this and tell me your status feedback.
Thanks.
davidy2001Cirrus
CirrusMohamed_Ahmed_Kansoh Thanks for your reply! Please see below screenshot: user 3725-1(10.0.30.1) and virtual server(10.0.30.254) can ping each other, but the command show sys connection cs-client-addr 10.0.30.1 shows nothing. Maybe issue is here.
Secondly, my F5 is version 15.1. Looks like it does not show ICMP options. I checked the page at all, and cannot find the ICMP option. Please see below. Not sure if the option is cancaled
Hi davidy2001 ,
> ICMP option is on virtual address list tab , see the below snap shot :Select your virtual server address and you will find the ICMP option and make it " disabled".
and try again.
> Or do it Cli ,
write this command on Tmsh prompt
( modify ltm virtual-address 10.0.30.254 icmp-echo disabled )
and try again
Look to this snap shot as well :- davidy2001
> ICMP option is on virtual address list tab , see the below snap shot : Yes, right. After changing ICMP Echo from default Always to Disabled, the node can receive ping traffic from F5. but the name Disabled is weired. It should be Enabled which can cause ping echo.
Hi davidy2001 ,
it is not weired , each virtual server is only responsible for its nodes and when you disable icmp echo on " 10.0.30.254" virtual server this option is related only to this virtual server , and other virtual servers do not impacted by your change , you will find the option of icmp-echo still as default always on all virtual servers except " 10.0.30.254 virtual server "
> For command , you wrote the command wrong , you need to write 10.0.30.254 instead of 10.0.30.1.
> this a special configuration for your environment , as the most deployed that F5 as a loadbalancer servers real servers not routers but of course everything is doable and available in F5 to handle your traffic on the way you want.
- my configuration was a workaround for your environment and " this virtual server 10.0.30.254" is the only object will be impacted to solve your issue with routes , and the rest of your applications and services run without impact.
Ty