Forum Discussion

Cirrus

Jun 08, 2017

No response after added virtual server IP address as floating self-IP address

Hi, I have an F5 HA pair that serves several virtual servers. VS1: ip1 VS2: ip2 Now, the IP address of VS1 (ip1) was already defined as a floating self-IP, but I found out that th...

mreco_159588
Jun 14, 2017
It was driving me nuts, since I just want to understand what's going.

After reading this post: https://devcentral.f5.com/questions/self-ip-address-selection-with-multiple-to-choose-from, I checked the firewall logs again. And now the pieces fit.

On the Virtual Servers I have SNAT Automap enabled. When I only have one floating self IP, that floating self IP is used to initiate traffic to backend servers. When I add more floating self IPs, it will use any of those floating self IPs to initiate traffic towards the backend servers.

The firewall between the F5 and the backend servers does not accept this traffic, meaning not actually the VS stopped responding after I added the VS IP address as a floating self IP, but the firewall blocked traffic towards the backend servers.

So, conclusion (just to summarize):

only one floating self IP is needed for SNAT communication towards the backend servers (if the amount of connections is less than 65000, otherwise more are needed and I must define a SNAT pool or allow the other floating IP addresses to communicate to the backend servers)
I will remove the unneeded floating self IP, since they're not needed for a VS to function as a listener IP

Thanks all for your help!

dragonflymr

Cirrostratus

Jun 08, 2017

Hi,

There is no need to add floating IP equal to VS IP. It is rather other way around.

You can use floating IP as your VS IP to save IPs - let's say you have only two free IPs in given subnet - one for self IP, one for floating IP.

But you need VS to configure - solution is to use same IP as floating IP.

If you use Floating IP as VS IP you need to modify Floating IP Port Lockdown setting. As incoming traffic is matching Floating IP first then this setting is evaluated (most often it's set to None or Default) and if there is no port/protocol match traffic is rejected.

So if you have VS at port 80 you need to add TCP port 80 to the Port Lockdown List (probably using Allow Custom).

Piotr

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

No response after added virtual server IP address as floating self-IP address

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

custom response page for api

FIX Message Response

Response and blocking page

Response port masking

COVID-19 Response: F5 Certifications Q&A

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS