Forum Discussion
meena_60183
Nimbostratus
NimbostratusSelf-IP and VS is not pingable
I used the following link
http://devcentral.f5.com/Forums/tabid/53/aft/20979/afv/topic/Default.aspx
to implement Cisco NAC on our network using BigIP. I changed the drawing to include my info
---------------- ------------------
- 10.60.98.1(def. GW) - 10.60.253.1 (def. GW)
---------------- ------------------
| |
VLAN 6 VLAN 34
| |
| |
---------------------------------------------------
- 10.60.98.11 (VS) 10.60.253.12 (VS) -
- -
- 10.60.98.4 10.60.253.4 -
- (self IP) (self IP) - -
- F5 LTM -
- -
- 10.60.252.4 10.60.99.4 -
- (self IP) (self IP) -
---------------------------------------------------
| |
VLAN 351 VLAN 5
| |
10.60.252.6 (server) 10.60.99.6 (server)
I cannot ping 10.60.98.4 or the VS 10.60.98.11. I created 3 forwarding virtual servers, one for vlan 5 (gateway pool pointing to 10.60.99.1 which is the router), one for vlan 351 (gateway pool pointing to 10.60.252.1 which is also a router) and one for rest of the vlans for outbound traffic from the servers. The default gateway for the bigIP is set to 10.60.253.1 which is on vlan 34.
Everything was working fine when I had all the VS on vlan 34 (10.60.253.x). When I added the second VS on 10.60.98.x, the problem started happening. Is this because the default gateway for the bigIP is on vlan 34?
Meena
Michael_YatesI noticed that the F5 Self IP and Floating IP Addresses never respond to ICMP when our monitoring team attempted to use these as F5 Health Checks. I even started a continuous ping of the Self IP Address of the Standby Unit (in a High Availability Pair) and then direct a failover and it will stopped responding.
It is a normal behavior from what I have discovered.
Cspillane_18296Hi there,
you should be able to ping the self ip's and standard Virtual Servers without issue, I have just tested this on a unit running version 10.1.0 in our lab environment. However, I don't think forwarding virtual servers themselves will respond to pings, they'll just pass the ping through if the port is set appropriately.
Make sure you have Auto-Last Hop turned on under Configuration : Local Traffic : General.
I'm probably missing something obvious here as to why this isn't working but my brain's given up for the day.
meena_60183I took a tcpdump while pinging the real server IP from the BigIP and here is some of the relevant data
----------------------------------
09:26:07.597576 802.1Q vlan351 P0 10.60.252.4 > 10.60.252.6: icmp: echo request (DF)
09:26:07.597576 802.1Q vlan5 P0 arp who-has 10.60.252.4 tell 10.60.252.6
-------------------------------------
When I do a "ping 10.60.252.6" from BigIP, I am not sure why vlan5 is asking for ARP. The real server itself is a Cisco appliance and the traffic goes to vlan351 (10.60.252.6) on the untrusted side and gets routed through vlan 5 (10.60.99.6) which is on the trusted side.
In this case, BigIP's selfIP(10.60.252.4) is on the same subnet and I do not know why it is trying to send the traffic through the other side. The routing table on the appliance only has a default route and it points to the trusted side which is on vlan 5.
The etherchannel on the Cisco side used to allow only necessary vlans but I made it to allow all vlans now. The trunk config on the BigIP uses LACP in active mode. After I made this change, I could ping the self IP on vlan 6 (10.60.98.4) and the VS (10.60.98.11). The problem migrated to vlan 351 now which is the real server vlan.
Meena- hoolio
Cirrostratus
10.60.252.4 is LTM's self IP. 10.60.252.6 is a server on the same VLAN. So it looks like you're trying to ping from LTM to the server IP address. The server is ARPing for the LTM self IP addresses MAC address, but it's coming in an unexpected VLAN. LTM won't have much control over which VLANs traffic comes into it on. I'm not even sure how you could set up the server interfaces to broadcast on a different interface than the destination IP address is on when the source host has an IP address on that interface. I'd check the lower layers on the server.
I noticed that the F5 Self IP and Floating IP Addresses never respond to ICMP when our monitoring team attempted to use these as F5 Health Checks.
This is a security "feature":
SOL3475: It is not possible to ping a BIG-IP self IP address from a separate VLAN
https://support.f5.com/kb/en-us/solutions/public/3000/400/sol3475.html
SOL7171: The standby BIG-IP system is unable to ping the floating self IP address
https://support.f5.com/kb/en-us/solutions/public/7000/100/sol7171.html
In BIG-IP versions 9.0 through 9.3.1, the standby BIG-IP system cannot ping the floating self IP addresses; this is the expected behavior.
Aaron - Michael_YatesThanks for the Solution Numbers.
Knew it was normal behavior and figured it was for security or operational reasons, but didn't know there was a solution behind it.
Thanks again Hoolio (I know you had to dig to find those)! - meena_60183Thanks for all the response. The problem was on the NAC appliance itself. We re-imaged it and configured the two interfaces and the route table showed up correctly.
It is working with no problems now.
Meena