Forum Discussion
No response after added virtual server IP address as floating self-IP address
Hi,
I have an F5 HA pair that serves several virtual servers.
VS1: ip1
VS2: ip2
Now, the IP address of VS1 (ip1) was already defined as a floating self-IP, but I found out that the IP address of VS2 was not defined as a self-IP. So I added ip2 as a floating self-IP.
From that moment on, no traffic was accepted on either ip1 or ip2.
Moreover, when I add a floating self-IP (let's say ip3), the virtual servers stop accepting traffic.
Any idea what can be causing this? Is it necessary to define the IP address of a virtual servers as a floating self-IP? Are there benefits of doing that?
On other units I manage, I always first add the floating self-IP and then I add the virtual server on that IP address.
I'm running version "BIG-IP 11.6.0 Build 0.0.401 Final"
Thanks.
It was driving me nuts, since I just want to understand what's going.
After reading this post: https://devcentral.f5.com/questions/self-ip-address-selection-with-multiple-to-choose-from, I checked the firewall logs again. And now the pieces fit.
On the Virtual Servers I have SNAT Automap enabled. When I only have one floating self IP, that floating self IP is used to initiate traffic to backend servers. When I add more floating self IPs, it will use any of those floating self IPs to initiate traffic towards the backend servers.
The firewall between the F5 and the backend servers does not accept this traffic, meaning not actually the VS stopped responding after I added the VS IP address as a floating self IP, but the firewall blocked traffic towards the backend servers.
So, conclusion (just to summarize):
- only one floating self IP is needed for SNAT communication towards the backend servers (if the amount of connections is less than 65000, otherwise more are needed and I must define a SNAT pool or allow the other floating IP addresses to communicate to the backend servers)
- I will remove the unneeded floating self IP, since they're not needed for a VS to function as a listener IP
Thanks all for your help!
- mreco_159588Cirrus
It was driving me nuts, since I just want to understand what's going.
After reading this post: https://devcentral.f5.com/questions/self-ip-address-selection-with-multiple-to-choose-from, I checked the firewall logs again. And now the pieces fit.
On the Virtual Servers I have SNAT Automap enabled. When I only have one floating self IP, that floating self IP is used to initiate traffic to backend servers. When I add more floating self IPs, it will use any of those floating self IPs to initiate traffic towards the backend servers.
The firewall between the F5 and the backend servers does not accept this traffic, meaning not actually the VS stopped responding after I added the VS IP address as a floating self IP, but the firewall blocked traffic towards the backend servers.
So, conclusion (just to summarize):
- only one floating self IP is needed for SNAT communication towards the backend servers (if the amount of connections is less than 65000, otherwise more are needed and I must define a SNAT pool or allow the other floating IP addresses to communicate to the backend servers)
- I will remove the unneeded floating self IP, since they're not needed for a VS to function as a listener IP
Thanks all for your help!
- dragonflymrCirrostratus
Hi,
There is no need to add floating IP equal to VS IP. It is rather other way around.
You can use floating IP as your VS IP to save IPs - let's say you have only two free IPs in given subnet - one for self IP, one for floating IP.
But you need VS to configure - solution is to use same IP as floating IP.
If you use Floating IP as VS IP you need to modify Floating IP Port Lockdown setting. As incoming traffic is matching Floating IP first then this setting is evaluated (most often it's set to None or Default) and if there is no port/protocol match traffic is rejected.
So if you have VS at port 80 you need to add TCP port 80 to the Port Lockdown List (probably using Allow Custom).
Piotr
- marin_266716Nimbostratus
Im confused, you said floating IP but you also said VS, are you adding a floating IP and thinking it will be the VIP for a pool?
VS1 = VIP1 (Application 1) VS2 = VIP2 (Application 2)
Self IP = IP in segment used to to reach into segments for monitoring or other purposes.
A Self IP is just that, in an HA cluster you could have 2-3 IP's per VLAN. 2x would be 1 Self IP (Non-Floating) per device in your HA group. The 3rd IP would be the floating IP added to the Active node and synced across to the standby. Floating IP's sync, self IP's do not. The Floating IP can be used as a default gateway for instance since it will always follow the active member.
What are you trying to accomplish with said "Self/Floating IP"
- mreco_159588Cirrus
I'm also confused ;-)
I have several virtual servers that use IP addresses that are not defined as self-IP or floating-IP.
Each unit of the HA pair has a non-floating IP address and they both share one floating-IP address in the same VLAN.
The IP addresses of the virtual servers are in the same VLAn as the non-floating and floating IP addresses.
Now, when I add the IP address used by a virtual servers as a floating IP address, the virtual server stops responding, even after setting port lockdown to 'Allow All'.
What I'm trying to accomplish is the following: I thought it was weird that the unit has a virtual server running on an IP that is not defined as a floating IP. On other units I manage I usually first add an IP address as a floating IP and then use that IP address for a virtual server. So, to align the setup with other units I manage, I added the IP address of the virtual server as a floating IP. But then things stopped working...
- mreco_159588Cirrus
I understand the difference between floating and non-floating IP addresses, but I don't understand that a virtual server can be hosted on an IP address that is not defined as a floating IP address.
- marin_266716Nimbostratus
"I thought it was weird that the unit has a virtual server running on an IP that is not defined as a floating IP."
I dont have a single IP that is used as a VS also used as a Self-IP or Floating IP on either Active or Standby unit.
Well say for instance 192.168.10.0/24 is VLAN 10
Self IP Node1 = 192.168.10.2
VS1 = 192.168.10.101
And so on....
To add one more example on the same cluster.
Well say for instance 192.168.20.0/24 is VLAN 20
Self IP Node1 = 192.168.20.2
VS4 = 192.168.20.101
A total of 6 VS's on 2 different networks serviced by the same cluster without using a VS IP as a self and/or floating IP.
- dragonflymrCirrostratus
Hi,
Can you just post output of commands listed below (masking what you consider confidential info):
- tmsh list net self-allow
- tmsh list net vlan [name of the vlan used by floating IP mentioned below]
- tmsh list net self [name of floating IP that equals IP of VS that stopped to work] all-properties
- tmsh list ltm virtual-address [IP for the VS that equals floating IP mentioned above] all-properties
- tmsh list ltm virtaul [name of VS mentioned above]
Piotr
- mreco_159588Cirrus
I have already answered the question myself in a previous post.
Thanks for your help!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com