For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rmd1023's avatar
rmd1023
Icon for Nimbostratus rankNimbostratus
Mar 10, 2012

Monitoring traffic vs forwarding virtual server

So, I've got a pair of HA LTMs running in layer 3 mode. Most of my virtual servers are using SNAT so that the virtual server traffic flows through the LTM but the LTM isn't the default gateway for the VLANs hosting the real servers. The exception is one VLAN, 10.0.213.200/29, which is a stub VLAN that lives behind the LTM and for which the LTM is the default gateway. I've got a floating IP, 10.0.213.201, and two physical self-ips - .202 and .203 - one on each of the LTMs.

 

 

I've got two forwarding virtual servers handling traffic on and off of that vlan. The one that handles traffic to the stub VLAN is written to handle traffic for the entire 10.0.213.200/29 network.

 

 

The problem is that the active LTM, which is hosting the .201 shared and .202 specific self-IPs, won't reply to pings for those IPs. I assume it's because the forwarding virtual server is picking up the traffic and trying to forward it rather than letting the LTM say "hey, that's one of my IP's, I can answer that ICMP echo request!"

 

 

Is there a way to get around this? Should the forwarding virtual server not handle traffic for the whole network range?

 

 

Thanks,

 

--r

 

management
monitoring

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 11, 2012
    have you enabled ARP of that network virtual address i.e. 10.0.213.200/29?

     

     

    it is at local traffic > virtual servers > virtual address list.
  • rmd1023's avatar
    rmd1023
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2012
    I have not, since I don't want it to proxy arp. But I wouldn't think it's a matter of responding to ARPs - it's a layer 3 device and routing is working happily, so things upstream are routing the packets to the outside IP of the LTM, and the LTM is picking up the packets.

     

     

    If I ping the address from the LTM itself, it responds. If I ping the address from a host on that network, I see a reply. But if I ping the interface from a remote box upstream, I see the packets hitting the LTM's outside interface when I do a (non-promiscuous) tcpdump, but I never see a reply on any interface.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 13, 2012
    what about this one?

     

     

    sol3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address

     

    https://support.f5.com/kb/en-us/solutions/public/3000/400/sol3475.html
  • rmd1023's avatar
    rmd1023
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2012
    Sure enough, that looks like the situation I'm in. I had poked around in the KB but I missed that article.

     

    Thank you!

     

     

    Also, that's a very happy looking pup in your userpic.