For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mubasher_Sultan's avatar
Mubasher_Sultan
Icon for Nimbostratus rankNimbostratus
Sep 09, 2013

F5-LTM - Connections are passing through Standby Device

Dear Folks,

 

I am doing a deployment of F5 LTM + Version ( BIG-IP 11.4.0 Build 2419.0 Hotfix HF3 ).

 

Things are working good... But, Connections are passing from Standby always? My infrastructure is Juniper based. Do i have to assign the static arp? I think gratituous arp is not working.

 

any comment or feedabck on this

 

Regards, Mubasher

 

deployment

7 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 09, 2013

    where did you see traffic passing through standby unit e.g. tcpdump, statistics, etc?

     

  • Mubasher_Sultan's avatar
    Mubasher_Sultan
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2013

    I checked it from

     

    sh sys connection cs-server-addr 1.1.1.1 cs-server-port 443

     

    Also on statistics.....

     

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Sep 09, 2013

    Make sure your virtual addresses are assigned to traffic-group-1.

     

    In case your floating self IP, VIP, SNAT, NAT or whatever virtual address is assigned to traffic-group-local-only, I guess.

     

    I.e. for a virtual IP address associated with a virtual server it should look as follows:

     

    [root@bigip171:Active:Standalone] config tmsh list ltm virtual-address

     

    ltm virtual-address 10.131.131.109 {

     

    address 10.131.131.109

     

    mask 255.255.255.255

     

    traffic-group traffic-group-1

     

    }

     

    Lookup the virtual address settings in the tab associated with the virtual server settings or simply modify from CLI with:

     

    tmsh modify ltm virtual-address your_ip_address_here traffic-group traffic-group-local-1

     

    Dont forget to:

     

    tmsh save sys config

     

    tmsh run cm config-sync to-group device-group-failover (Perhaps you need to replace the device group name)

     

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 09, 2013

    I checked it from

     

    sh sys connection cs-server-addr 1.1.1.1 cs-server-port 443

     

    Also on statistics.....

     

    are you using connection mirroring?

     

    can you run tcpdump on standby unit and check what packet's destination mac address is?

     

    • Shiraz_84431's avatar
      Shiraz_84431
      Icon for Nimbostratus rankNimbostratus
      Jan 13, 2017

      Hi Nitass,

       

      I have same issue and when I checked using the tcpdump on standby unit, I see the destination MAC as the Active device MAC. and yes, the connection mirroring is enabled on all the virtual server.

       

      Is it normal behaviour to have the connections including the traffic itself on standby device when connection mirroring is enabled??

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 09, 2013

    I checked it from

     

    sh sys connection cs-server-addr 1.1.1.1 cs-server-port 443

     

    Also on statistics.....

     

    are you using connection mirroring?

     

    can you run tcpdump on standby unit and check what packet's destination mac address is?

     

    • Shiraz_84431's avatar
      Shiraz_84431
      Icon for Nimbostratus rankNimbostratus
      Jan 13, 2017

      Hi Nitass,

       

      I have same issue and when I checked using the tcpdump on standby unit, I see the destination MAC as the Active device MAC. and yes, the connection mirroring is enabled on all the virtual server.

       

      Is it normal behaviour to have the connections including the traffic itself on standby device when connection mirroring is enabled??