Forum Discussion
bman_12685
Nimbostratus
Nimbostratusnpath dsr configuration ltm 11.x
I've been following the guide at
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/6.html
however it may be that some of the guide appears from 2 different sources ( different vip's mentioned ) that may be causing some confusion for me.
Basically I've got an ltm test system setup and server as so
f5 test vip
10.10.220.63
perf fastL4 profile with Loose Close off
i.e.
vip is as so
ltm virtual npath_tcp {
destination 10.10.220.63:any
ip-protocol tcp
mask 255.255.255.255
pool npath_ipip_pool
profiles {
fastl4_npath_pva { }
}
translate-address disabled
translate-port disabled
vlans-disabled
}
pool was created per doc as well
ltm pool npath_ipip_pool {
allow-nat no
members {
10.10.220.66:any {
address 10.10.220.66
session monitor-enabled
state down
}
}
monitor min 1 of { t.ipip }
profiles {
ipip
}
}
on the host
module ipip is loaded
all settings are loaded into proc as document and the interfaces are set as
eth0- 10.10.220.66
lo:0 - 10.10.220.63
tunl0 - 10.10.220.66
if I run tcpdump on the interfaces and attempt to connect from the other end I see no traffic
what am I doing wrong?
4 Replies
hoolioCirrostratus
Hi,
Is the pool member marked up? Does TMM have a a self IP on the pool member subnet or a route to it?
Aaron
bman_12685Based off docs for version 11.2.x pool does not require an additional self ip for DSR, pool member is marked up and I can tcpdump on the pool member and see the traffic request for whatever port I attempt to test.
On the client side for example if I do a telnet to port 25 on the vip I see the request via tcpdump on the linux server on the tunl0 interface, but never on the loopback, additionally on the client side the connection hangs then times out.- bman_12685I've been pulling my hair out on this one a bit and moved it to a separate pair of f5's that are behind a firewall, so the configuration is more textbook, I have the same issue the only other thing I can think of if someone has any input would be in the way I am testing.
Since npath should from the textbook be an external connection outside my firewall nated to the f5 vip (on a private ip) then this would be npath'd to the real server which would then route back out the firewall? Could this possibly be why my connection is hanging on the real server and I see the request via tcpdump but it never completes? - Zeljko_123076
Hi Could anyone please confirm source IP of the IPIP tunnel between F5 and server...
I did verification of L3 DSR (for SIP,DHCP/UDP) using virtual edition 11.3 and couldn't get LB to source the tunnel from it's IP - it always used client IP as a source of the tunnel (unless SNAT was enabled but then both tunnel and client IPs are changed).
I cannot get my server ('black box') to accept IPIP tunnel from anywhere. Is there a way to force F5 to use it's IP as source of IP (or GRE) tunnel in npath l3?
Thank you for your time /Zeljko
