Forum Discussion

bman_12685's avatar
bman_12685
Icon for Nimbostratus rankNimbostratus
Aug 15, 2012

npath dsr configuration ltm 11.x

I've been following the guide at

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/6.html

 

 

however it may be that some of the guide appears from 2 different sources ( different vip's mentioned ) that may be causing some confusion for me.

 

 

Basically I've got an ltm test system setup and server as so

 

 

f5 test vip

 

10.10.220.63

 

 

perf fastL4 profile with Loose Close off

 

i.e.

 

vip is as so

 

 

ltm virtual npath_tcp {

 

destination 10.10.220.63:any

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool npath_ipip_pool

 

profiles {

 

fastl4_npath_pva { }

 

}

 

translate-address disabled

 

translate-port disabled

 

vlans-disabled

 

}

 

pool was created per doc as well

 

 

ltm pool npath_ipip_pool {

 

allow-nat no

 

members {

 

10.10.220.66:any {

 

address 10.10.220.66

 

session monitor-enabled

 

state down

 

}

 

}

 

monitor min 1 of { t.ipip }

 

profiles {

 

ipip

 

}

 

}

 

 

on the host

 

 

module ipip is loaded

 

all settings are loaded into proc as document and the interfaces are set as

 

 

eth0- 10.10.220.66

 

lo:0 - 10.10.220.63

 

tunl0 - 10.10.220.66

 

 

if I run tcpdump on the interfaces and attempt to connect from the other end I see no traffic

 

 

what am I doing wrong?

 

  • Hi,

     

     

    Is the pool member marked up? Does TMM have a a self IP on the pool member subnet or a route to it?

     

     

    Aaron
  • Based off docs for version 11.2.x pool does not require an additional self ip for DSR, pool member is marked up and I can tcpdump on the pool member and see the traffic request for whatever port I attempt to test.

     

     

    On the client side for example if I do a telnet to port 25 on the vip I see the request via tcpdump on the linux server on the tunl0 interface, but never on the loopback, additionally on the client side the connection hangs then times out.

     

     

     

  • I've been pulling my hair out on this one a bit and moved it to a separate pair of f5's that are behind a firewall, so the configuration is more textbook, I have the same issue the only other thing I can think of if someone has any input would be in the way I am testing.

     

     

    Since npath should from the textbook be an external connection outside my firewall nated to the f5 vip (on a private ip) then this would be npath'd to the real server which would then route back out the firewall? Could this possibly be why my connection is hanging on the real server and I see the request via tcpdump but it never completes?
  • Hi Could anyone please confirm source IP of the IPIP tunnel between F5 and server...

     

    I did verification of L3 DSR (for SIP,DHCP/UDP) using virtual edition 11.3 and couldn't get LB to source the tunnel from it's IP - it always used client IP as a source of the tunnel (unless SNAT was enabled but then both tunnel and client IPs are changed).

     

    I cannot get my server ('black box') to accept IPIP tunnel from anywhere. Is there a way to force F5 to use it's IP as source of IP (or GRE) tunnel in npath l3?

     

    Thank you for your time /Zeljko