For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jfrizzell_43066's avatar
jfrizzell_43066
Icon for Nimbostratus rankNimbostratus
Apr 01, 2011

F5 LTM VIP/STP Problem

We are currently experiencing an issue in our data center. We have two F5 LTM’s with VIPs for our database cluster and webservers. In the data center, we run HP ProLiant Servers with Fault Tolerant Load Balancing (TLB) NIC teams and two Cisco 3560E switches with Etherchannel Layer 2 trunks. We have two F5 LTMs that are currently in an Active/Standby configuration. On the first LTM, we have interface 1.1 going to switch 1 and interface 1.2 going to switch 2. On the second LTM, we have the same configuration. Please see the simplified topology concerning the connection to the switches.

 

 

Over the weekend, we removed foundry switches and replaced those with the Cisco 3560E’s. Since this change over we have had a few issues with no resolution to date. First, when we try to access the VIP for our webservers on the F5 LTM by HTTP/HTTPS it does not resolve. If we try to access the LTMs HTTPS web address, it does not resolve either. However, we can access all servers using their physical address with HTTP/HTTPS. What is really weird is that we can ping the VIP and LTM address. We do not currently have an access-list on any device denying this traffic. Also, when we removed a NIC from the team, we could resolve the VIP and LTM by HTTP/HTTPs. The second issue is that spanning-tree is blocking the redundant interfaces on our second switch. Not sure why this is happening if the LTM is in an Active/Standby state and it must be noted that we are using STP pass through.

 

 

Hopefully someone reading this has experienced this before or has an idea/suggestion for a resolution. We have opened a ticket with F5, but no resolution yet. We opened a case with Cisco TAC and they have reviewed the switch configuration and everything looks good.

 

config
design

25 Replies

Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 01, 2014

    It actually broke connections coming in via another VLAN through a firewall, so we just configured another VIP on that VLAN. So ended up with 2 VIPs, with same IP, with different source vlans and different "auto last hop" settings.

     

    may auto lasthop setting on vlan object be useful?

     

    sol13876: Overview of the Auto Last Hop setting (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13876.html

     

  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Jan 22, 2015

    Hi Experts

     

    I have a similar issue in which after giving MAC masquerade address in traffic group 1, the Cisco Catalyst switch towards the ingress port doesn't learn it in ARP table. However, when I remove this configuration from the F5, it works fine on physical MAC of the active F5 interface.

     

    Anything to suspect on Cisco Catalyst IOS?

     

    Regards,

     

    Sumanta.

     

  • David_Jones_227's avatar
    David_Jones_227
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2016

    Just wanted to add my $.02. We are migrating from Cisco ACE to F5's. Mix of Viprion's and appliances. Running 11.6.1 HF1. Have had two cases now where a week plus after converting apps over to F5 (F5 is the layer 3 gw for the servers btw), they started having performance problems. Seemed to be only physical servers, with multiple nics and using teaming (HP servers).

     

    I noticed that servers that were working fine must have been configured for NFT (use only one nic at a time) because their mac never changed, and they had no issues. Servers that were using multiple nics simultaneously, had problems.

     

    Found this thread and disabled auto last hop on the server side vlan only and it immediately resolved the issue.

     

    Thanks everyone.