Forum Discussion
Dmitri_Ch__1425
Cirrus
CirrusnPath and firewall rules
Hi
Does nPath need special firewall configuration?
I've configured nPath in LAB, everything seems to be working fine.
But I cannot get it to work on production network and suspect firewall...
What is interesting is in LAB env. when client ARPs for VS_IP one of the node responds with it's MAC address and everything works OK then. That means the F5 will not be involved at all, and the whole purpose of nPath is for the F5 to be involved!!
In prod, when client ARPs for VS_IP, F5 responds with MAC address of self-ip, which causes the problem, b/c node then trying to send back to client's MAC. That's how nPath should work - client sends to F5, F5 forwards to server, and server responds direct to client.
Also in LAB when I run tcpdump on the F5 I don't see any traffic, only ARP.
Yes because the client is sending only to the node as that is what responded.You need to prevent the servers from responding to the arp requests for the VS_IP (so get rid of that -arp setting), although they do need to have an interface that will respond to unicast traffic to that IP configured. While the F5 and the nodes are all responding to arp it's a race to see who gets there response in first. Once you have the F5 only responding then you'll need to troubleshoot the other problem.
Dmitri_Ch__1425Cirrus
CirrusHi, thank you. If there is nothing on firewall then I'll double-check F5 config.
F5's VS, node and firewall are all on the same subnet. The concern I have with firewall is it could drop reply packets coming from the node since firewall doesn't have incoming connection to match. Could this be the problem?
I ran tcpdump on F5 and node and see that node is sending data back (dst is MAC address of FW), but my client doesn't receive those.