For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

johnp-scout_211's avatar
johnp-scout_211
Icon for Nimbostratus rankNimbostratus
Jul 17, 2015

New bigip on network breaks old bigip snat

We have an old pair of bigips in production that we have used for years (version 9). We are replacing them with a new pair(version 11). We used different ip addresses for the self ips on the new pair so we could run them side by side for testing. When we plug in the external interfaces (behind firewall) of the new pair, after a time (few minutes to a few hours) the current bigips SNATs stop working until we fail over to the other bigip in the cluster. While in this state the bigip can get to the internet or the internal network fine, but it is not forwarding traffice from servers that use the bigip as it gateway.

 

-It is not an ip conflict

 

Do the bigips broadcast something out that make them not want to be on the same network as other bigips?

 

application delivery
deployment
LTM

4 Replies

  • DevBabu's avatar
    DevBabu
    Icon for Cirrus rankCirrus
    Jul 17, 2015

    Although you have said not an ip conflict. I would still think there is a device in network with similar IP that is claiming it has that IP address and sending it's MAC address at some intervals. Upon failover BIG-IP GARPS out and traffic is forwarded to it. But after certain interval again that device comes into play.

     

    1. Take captures on the servers to see what mac address they are forwarding traffic to at the time of issue.

       

    2. Take capture on F5 to see if it has received the traffic sent by the server.

       

  • johnp-scout_211's avatar
    johnp-scout_211
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2015

    When it sends out the GARP would all the servers on the network try to use that new bigip as its gateway?

     

  • johnp-scout_211's avatar
    johnp-scout_211
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2015

    Turns out part of the config was copied to this new bigip and the snat WAS conflicting.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 31, 2015

    When you import configuration and you change IPs of virtual server ans SNAT, old IP addresses are still in the configuration as "Virtual address" and "SNAT translation list".

     

    • When creating a VS, the virtual address is created with ARP Checked to enable proxy ARP
    • When deleting a VS, the virtual address is delete
    • When modify a VS address, the new address is created but the old one remains.

    this is the same with SNAT pool and SNAT translation list...