Forum Discussion
AltostratusF5 wildcard outgoing with default gateway pool issue
Hi F5 guys,
I configured a wildcard outgoing VS for internal user outgoing traffic, the VS has a gateway pool with ISP A and ISP B gateway address.
However, I found the outgoing always rely on one ISP, if I unplug or disable this ISP link will make the connection failure, it seems the link load balance purposes.
Could you please advise?
Thanks a lot,
Angus
youssef1Cumulonimbus
Hello Angus,
First of can you tell me if you set snat automap or snat pool on your VS? Additional I recommend you to set transparent monitor in order to validate that your ISP is functional (it has internet access).
Regards,
- Daniel_Varela
Employee
Please can you share the configuration: VS, pools etc? It is a bit odd that it only selects one ISP in your pool. Is there any irule in place?
cawong23_136311I set a wildcard VS with source 0.0.0.0 and dest 0.0.0.0, the pool is a gateway pool with 2 ISP link gateway (Round robin load balance). No any irule applied.
I keep ping the public IP and then unplug of the ISP link, the ping result will become destination host unreachable until one re-plug the ISP which I unplugged.
- Daniel_Varela
Can you send the output of tmsh list ltm pool you_pool and tmsh list ltm virtual your_virtual?
- cawong23_136311
ltm virtual vs_wildcard { destination 0.0.0.0:any mask any pool GW_Pool_Round profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vlans { Internal } vlans-enabled vs-index 26 }
ltm pool GW_Pool_Round { members { 203.193.x.x:any { address 203.193.x.x session monitor-enabled state up } 218.213.x.x:any { address 218.213.x.x session monitor-enabled state up } } monitor gateway_icmp }
Thanks Daniel!
- Daniel_Varela
To be honest I don't see where the problem can be. I'd recommend you to open a support case. In addition you can add an irule to log information about the load balance decissions, active members, etc:
when LB_SELECTED { log local.0 "Active members: [active_members [LB::server pool]]" log local.0 "Pool member: [LB::server addr]:[LB::server port]" }A packet capture will help to see what is happening underneath, destination mac address, etc.
Sorry to not be of more help.
swjo_264656Cirrostratus
Hi
In your case, It seems that ISP bgp setting seems to wrong.
but If ping dst IP is belong to just one ISP, dst unreachable is expected result.
First, ping to google(belong to lots of ISP), unplug one ISP, stop ping and retry ping.
Second, check ISP`s bgp hold time. -> normally long as you expected.
thank you.
- cawong23_136311
I opened tech case, it seems the normal behavior on F5.
It looks you kept the ping tool running all the time. This should not exist if you stop the command and then run it again after 10 seconds. This is due to that even for ICMP traffic, there will be a connection established in connection table. The entry in the connection table won't be removed even if the member is down.
That's ok just need to explain to customer.