Forum Discussion
nPath and firewall rules
- Mar 25, 2014
What is interesting is in LAB env. when client ARPs for VS_IP one of the node responds with it's MAC address and everything works OK then. That means the F5 will not be involved at all, and the whole purpose of nPath is for the F5 to be involved!!
In prod, when client ARPs for VS_IP, F5 responds with MAC address of self-ip, which causes the problem, b/c node then trying to send back to client's MAC. That's how nPath should work - client sends to F5, F5 forwards to server, and server responds direct to client.
Also in LAB when I run tcpdump on the F5 I don't see any traffic, only ARP.
You need to prevent the servers from responding to the arp requests for the VS_IP (so get rid of that -arp setting), although they do need to have an interface that will respond to unicast traffic to that IP configured. While the F5 and the nodes are all responding to arp it's a race to see who gets there response in first. Once you have the F5 only responding then you'll need to troubleshoot the other problem.
Is the Client on the same subnet as the server? If not, then the server should ARP for the gateway IP, and send packet that has the client IP and gateway MAC.
- Dmitri_Ch__1425Mar 25, 2014CirrusYes, in this test the client is on the same subnet. I'm trying to pinpoint the problem and avoid firewall for now. What is interesting is in LAB env. when client ARPs for VS_IP one of the node responds with it's MAC address and everything works OK then. In prod, when client ARPs for VS_IP, F5 responds with MAC address of self-ip, which causes the problem, b/c node then trying to send back to client's MAC. Also in LAB when I run tcpdump on the F5 I don't see any traffic, only ARP. I don't know if it make any difference - in LAB I'm using Ubuntu nodes, in prod Redhat nodes. Same F5 unit, different VLANs on trunk port...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com