Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Jul 12, 2021

LTM - Monitor with "arping" relies on ARP-Cache

Hello fellow F5ers,

 

I have devices, that can only be monitored via "arping" (don't ask, the devices are stupidly designed, some people may call that "secure"). There are several threads here on devcentral covering the use of "arping" in external monitors, but I see a behavior that is not mentioned at all.

 

At least on my LTMs (running Version 15.1.2.1) arpings will get answered from LTMs own ARP-Cache instead of sending a real request over the network. This can easily be tested by:

  1. Run a tcpdump that filters for arps: tcpdump -nni <vlan> arp
  2. On another console execute an arping: rdexec <rd> arping -c1 -I <vlan> <node-ip>

 

If there is no ARP-Entry in LTMs ARP-Cache, you will see an arp request with tcpdump. Any subsequent arpings will not be send over the network as long as there is a valid entry in the ARP-Cache (default timeout 5 minutes). The moment you clear the ARP-Cache manually, the next arping will be send over the network again.

This means, that even when the system that you arping is offline (shutdown, no power, you name it), you will still receive successfull arpings until the ARP-Cache entry times out.

 

Has anyone encountered a simmilar behavoir?

Any idea how I can use arping to reliable determ wether the node is still alive?

 

Cheers,

Stefan

 

  • I will post an answer from F5-Support.

    The behavior is "as designed"

     

    [...]

    Nonetheless after doing some additional information please be noted that Linux

    traffic not destined to the management network is picked up and forwarded by

    TMM which maintains its own ARP table. As a result there are two arp tables

    the TMM one and the Linux host one.

     

    The first time that IP address is being resolved to a MAC address (i.e. when

    TMM doesn't know about that IP yet), TMM will send a broadcast ARP request to

    the network.

     

    Once TMM becomes aware of where that IP address lives, and while it considers

    its entry fresh, TMM will not ask the network again, even if the Linux host

    (e.g. arping) is trying to resolve it again.

     

    This is behavior is per design but may lead to unexpected result such as

    marking pool member up based on TMM's cached response rather than based on

    actual ARP request send out towards the destination server.

    Maintaining both ARP tables with the external monitor script (for instance

    clearing ARP tables) is generally also not recommended (as tmsh commands such

    as clearing arp table is not scalable might consume cause to consume more

    CPU/memory resources and may lead to unexpected results for instance when next

    instance of the script is executed before end of previous tmsh execution).

     

    As alternative for external monitoring using arping tool - please consider

    applying ICMP_gateway monitor (you can strict ICMP traffic in network to

    specific IP's only - that belongs to BIgIP's non-floating self-ip and

    destination pool members).

    [...]

     

  • Hello,

    I'm trying to implement the arping monitor without success.

    I've created a bash file as follows:

     

    #!/bin/bash
    IP=$1
    INTERFACE="VLAN434"  # Use the VLAN name which connect with the endpoint nodes.
     
    arping -c 1 -I $INTERFACE $IP > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "UP"
        exit 0
    else
        echo "DOWN"
        exit 1
    fi

    I've tested this command locally an work fine, but once that I've import the file via "System  ››  File Management : External Monitor Program File List" it appears under monitor section but I cannot apply to a current defined Node..

    Once that I create the monitor also I don't know if I've created correctly the monitor, see attached image.

    Please, can someone help me with the exact configuration?

    Thanks in advance.

     

    • dsn_support's avatar
      dsn_support
      Icon for Nimbostratus rankNimbostratus

      Hi, I'm going to reply myself... I've finally have it working like a charm.... changes that I've made:

      Monitor definition: 

      • delete all variables previously defined
      • Arguments: $F5_MONITOR_ADDRESS
      • Alias Service Port: 1  <---- this is because if you define the node in the pool as "* you cannot assign a monitor which service port is also "*" so you have to define and invented port.

      And in System  ››  File Management : External Monitor Program File List: 

      !/bin/bash
      IP=$1
      INTERFACE="VLAN_1234"  #Statically defined
      # clear arp cache table to avoid false positives 
      tmsh delete /net arp $IP
      # execute the command:
      RESULT=$(arping -c 1 -w 2 -I $INTERFACE $IP 2>&1)
      # evaluate the result
      if echo "$RESULT" | grep -q "Received 1 response(s)"; then
          echo "UP"
      else
      fi

      And that's all, Iv'e applied the new monitor to the pool definition and the nodes inside the pool inherit the pool monitor.

      Regards