For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Johnny_Test_197's avatar
Johnny_Test_197
Icon for Nimbostratus rankNimbostratus
Nov 30, 2015

F5 Virtual Edition AWS Internet Routing

I have a Virtual F5 fronting some internet facing services with elastic IPs that then get routed to internal AWS hosts and that all works fine. My instance has multiple interfaces, eth0 being the mangement VLAN (10.0.2.1), eth1 being "external" (a subnet that has a security group that allows external internet connectivity), and subsequent interfaces for different lab subnets. I've been approached to create an APM VIP where the node is external to my VPC however my F5 can't seem to route to the internet. I have a default route set with the destination set as 0.0.0.0 set to "Use Gateway" and I provide the gateway address of the "external" interface (10.0.5.1). If I ssh to the F5 itself and attempt to ping an external host it resolves DNS but then times out. If I force ping to use the management interface, eth0, it works no problem (I opened up the security group on the management subnet earlier attempting to troubleshoot this issue). Obviously I don't want to route traffic through my management interface, but I can't seem to understand why I can't route traffic through the default gateway on my "external" interface. I am able to ping that gateway from the F5, and I can communicate with hosts on that subnet. Here is the route table: 

[root@ip-10-0-2-150:Active:Standalone] config  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
127.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 tmm0
127.3.0.0       0.0.0.0         255.255.255.0   U     0      0        0 mgmt_bp
10.0.2.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.2.0    0.0.0.0         255.255.255.0   U     9      0        0 eth0
10.0.102.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_EAST_VIP1
10.0.103.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_EAST_VIP2
10.0.100.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_WEST_VIP1
10.0.101.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_WEST_VIP2
10.0.5.0     0.0.0.0         255.255.255.0   U     0      0        0 External
127.7.0.0       127.1.1.254     255.255.0.0     UG    0      0        0 tmm0
0.0.0.0         10.0.5.1     0.0.0.0         UG    0      0        0 External
0.0.0.0         10.0.2.1    0.0.0.0         UG    9      0        0 eth0

I have a single route table for the VPC that includes all subnets, and a single route domain on the F5 that includes all VLANs.

BIG-IP
cloud
LTM

2 Replies

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Dec 03, 2015

    This sounds more like an AWS VPC issue than an F5 issue. Do you have another system using the same VPC route with your AWS environment to test internet access with?

     

  • Johnny_Test_197's avatar
    Johnny_Test_197
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2015

    It wasn't the VPC, it ended up that even though the "external" interface was on an external vlan at the time of provisioning it didn't get a public IP assigned. Once I attached an elastic to that interface everything started routing properly.