Forum Discussion

tatmotiv's avatar
tatmotiv
Icon for Cirrostratus rankCirrostratus
Jan 13, 2016

load balance ICMP echo requests to pool members

Hi there,

I'm trying to setup a virtual server which will forward ICMP to pool members and let them handle answering ICMP instead of letting the BigIP handle ICMP itself. My plan was to:

  1. disable ICMP echo in the virtual address setting:

    ltm virtual-address 10.2.1.23 {
   address 10.2.1.23
   icmp-echo disabled
   mask 255.255.255.255
   traffic-group traffic-group-1
}

  2. Define an appropriate pool with port "any":

    ltm pool test {
members {
    docker_host1:any {
        address 10.100.1.10
    }
}
}

  3. Define a fast-l4 virtual with ip-protocol icmp and destination port any and attach the pool to it:

    ltm virtual trestdjo {
destination 10.2.1.23:any
ip-protocol icmp
mask 255.255.255.255
pool test
profiles {
    fastL4 { }
}
source 0.0.0.0/0
vlans {
    client
    server
}
vlans-enabled
}

However, this virtual does not catch the pings coming in from vlan "client" to destination address 10.2.1.23. I can see the pings arriving in vlan client when running tcpdump, but they are left unanswered. The hit counts of the virtual above are not incrementing, so it doesn't seem to match the traffic. I'm unsure whether fastL4 is even capable of handling ICMP traffic, but it is the only type of virtual that allows me to specifiy ICMP as IP protocol (type standard doesn't) and attach a server pool to it.

Any idea how to achieve the desired behaviour? Many thanks in advance.

Regards

Martin

application delivery
LTM

2 Replies

  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Jan 13, 2016
    Additional information: The help text for ICMP echo in the virtual address section states: ICMP Echo Enables or disables responses to Internet Control Message Protocol (ICMP) echo requests on a per-virtual address basis. When enabled, the BIG-IP system intercepts ICMP echo request packets and responds to them directly. When disabled, the BIG-IP system passes ICMP echo requests through to the backend servers. The last sentence describes the desired behaviour, so I guess there has to be a way to achieve this...
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 13, 2016

    Hi Tatmotiv,

     

    this feature looks somewhat broken to me...

     

    1. ICMP=enable and ARP=enable will cause LTM to respond

       

    2. Switching to ICMP=disable and ARP=enable will cause ICMP messages to become dropped.

       

    3. Switching to ICMP=disable and ARP=disable will cause the servers respond to ICMP messages, until the ARP caches are timed out (with static MAC entries it would continue to work)

       

    4. Switching to ICMP=disable and ARP=enable will cause half of the ICMP messages to become dropped and the other half is still responded by the servers.

       

    5. Switching to ICMP=enable and ARP=enable will cause LTM to respond half of the ICMP messages and the other half is responded by the servers.

       

    6. Clearing the Connection-Table while having ICMP=enable and ARP=enable will immediatly cause LTM to respond to everything.

       

    7. Going back to the state of 4.) and then clearing the Connection-Table will cause the ICMP messages to become dropped.

       

    8. Going back to the state of 3.) and then clearing the Connection-Table will cause the servers respond to ICMP messages.

       

    I'd recommend to call F5 support and ask for a fix/assitence...

     

    FYI: I'm using TMOS v12

     

    Cheers, Kai