Forum Discussion
Nimbostratusstatic route versus IP forwarding VS
NimbostratusThanks to all of you trying to help. I am reading carefully your posts and try to extract what i can understand and keeps on testing...Very very sorry to keep on being a bit lost and therefore bothering you...
-disabled all my virtual servers BUT the IP forwarding one (it is a test F5 device) to be sure some traffic cannot be catched by another VS
-reset the statistics on this IP forwarding VS
-tcpdump on the F5 in front of my linux servers
Case 1 : the IP forwarding VS is targetting 0.0.0.0/0
ltm virtual IP_Forwarding_any {
destination 0.0.0.0:any
ip-forward
mask any
profiles {
fastL4 { }
}
source 10.21.1.67/32
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vs-index 28
}
Ping does not work :
root@chgva-srv-smt02:~ ping www.google.fr
PING www.google.fr (216.58.198.35) 56(84) bytes of data.
From 10.21.1.18 icmp_seq=1 Destination Net Unreachable
From 10.21.1.18 icmp_seq=2 Destination Net Unreachable
N.B. : 10.21.1.18 is the floating self IP of my F5 device.
On tcpdump on my F5 (listening on all interfaces) i can see the ICMP requests to mil04s04 (which is probably google), but part of them only (seems to be 1 out of 2, why ????) going through the IP forwarding VS :
[admin@f503:Active] ~ tcpdump -i 0.0 -vv host 10.21.1.67|grep ICMP
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:48:01.882920 IP (tos 0x0, ttl 64, id 53093, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 2234, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
11:48:01.882941 IP (tos 0x0, ttl 255, id 12459, offset 0, flags [DF], proto ICMP (1), length 56)
10.21.1.18 > 10.21.1.67: ICMP net mil04s04-in-f3.1e100.net unreachable, length 36
IP (tos 0x0, ttl 63, id 53093, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 2234, length 64 out slot1/tmm0 lis=
11:48:02.882863 IP (tos 0x0, ttl 64, id 53243, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 2235, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
11:48:02.882877 IP (tos 0x0, ttl 255, id 12465, offset 0, flags [DF], proto ICMP (1), length 56)
10.21.1.18 > 10.21.1.67: ICMP net mil04s04-in-f3.1e100.net unreachable, length 36
IP (tos 0x0, ttl 63, id 53243, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 2235, length 64 out slot1/tmm0 lis=
11:48:03.882808 IP (tos 0x0, ttl 64, id 53354, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 2236, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
11:48:03.882824 IP (tos 0x0, ttl 255, id 12471, offset 0, flags [DF], proto ICMP (1), length 56)
The VS statistics show that traffic IN but no OUT
Seems that the ICMP requests reach the F5 but then the F5 have no route to internet and herefore does not know what to do (hence the traffic out of VS = 0 ?)
In such case i would need a static route ? I created one as such :
Name Internet
Partition / Path Common
Description
Destination 0.0.0.0
Netmask 0.0.0.0
Resource Gateway Address 144.144.144.129
Now ping does not give any message anymore (at least i don't have the "Destination Net unreachable" anymore). tcpdump show that only the ICMP requests arrive (now displaying the /Common/IP_Forwarding_any VS name for each and every ICMP request, which was not the case before) :
[admin@f5g03:Active] ~ tcpdump -i 0.0 -vv host 10.21.1.67|grep ICMP
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:03:09.801031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 40)
10.21.1.18 > 10.21.1.67: ICMP echo request, id 29803, seq 61240, length 20 out slot1/tmm0 lis=
12:03:09.801351 IP (tos 0x0, ttl 64, id 5304, offset 0, flags [none], proto ICMP (1), length 40)
10.21.1.67 > 10.21.1.18: ICMP echo reply, id 29803, seq 61240, length 20 in slot1/tmm0 lis=
12:03:09.869465 IP (tos 0x0, ttl 64, id 35972, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f35.1e100.net: ICMP echo request, id 51313, seq 3142, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
12:03:10.869492 IP (tos 0x0, ttl 64, id 36196, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f35.1e100.net: ICMP echo request, id 51313, seq 3143, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
12:03:11.869374 IP (tos 0x0, ttl 64, id 36369, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f35.1e100.net: ICMP echo request, id 51313, seq 3144, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
12:03:12.869384 IP (tos 0x0, ttl 64, id 36374, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f35.1e100.net: ICMP echo request, id 51313, seq 3145, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
12:03:13.869423 IP (tos 0x0, ttl 64, id 36616, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f35.1e100.net: ICMP echo request, id 51313, seq 3146, length 64 in slot1/tmm0 lis=/Common/IP_Forwarding_any
Statistics of the VS again shows traffic IN but not OUT. Here i am sure it goes through my IP forwarding VS but i don't receive the answer means i need to further investigate on the FW/gateway side i guess. Now let's have a look at case 2 ....
Case 2 : the IP forwarding VS have the destination IP :
ltm virtual IP_Forwarding_any {
destination 216.58.198.35:any
ip-forward
mask 255.255.255.255
profiles {
fastL4 { }
}
source 10.21.1.67/32
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vs-index 28
}
Ping works fine :
root@chgva-srv-smt02:~ ping www.google.fr
PING www.google.fr (216.58.198.35) 56(84) bytes of data.
64 bytes from mil04s04-in-f35.1e100.net (216.58.198.35): icmp_seq=1 ttl=255 time=0.172 ms
64 bytes from mil04s04-in-f35.1e100.net (216.58.198.35): icmp_seq=2 ttl=255 time=0.356 ms
tcpdump looks fine :
[admin@f5g03:Active] ~ tcpdump -i DMZ-intern -vv host 10.21.1.67|grep ICMP
tcpdump: listening on DMZ-intern, link-type EN10MB (Ethernet), capture size 65535 bytes
11:10:58.907658 IP (tos 0x0, ttl 64, id 36299, offset 0, flags [DF], proto ICMP (1), length 84)
10.21.1.67 > mil04s04-in-f3.1e100.net: ICMP echo request, id 51313, seq 11, length 64 in slot1/tmm0 lis=
11:10:58.907691 IP (tos 0x0, ttl 255, id 1298, offset 0, flags [DF], proto ICMP (1), length 84)
mil04s04-in-f3.1e100.net > 10.21.1.67: ICMP echo reply, id 51313, seq 11, length 64 out slot1/tmm0 lis=
Very surprisingly to me :
1) the VS statistics remains stucked to 0 2) ping works fine (without any route)
Would means the traffic goes some other way without my IP forward VS but what is more than strange is that the ping starts working fine as soon as i set the proper google destination IP is this same IP forward VS ???????
More than thanks if one of you keeps on trying to help me
CirrostratusSome more ideas for test:
Can you ping google from F5? If so which VLAN is used for outgoing requests, and did those request go back via the same VLAN.
Can you check routing using ip route get [google IP - 216.58.198.35]
What about other type of connections from Linux - can you reach any site in the Internet - for example using curl -k https://www.google.fr -v
If not what is in the trace on F5, did F5 send RST packets to Linux? If so you can try:
tmsh reset-stats net rst-cause
then
watch -n 1 tmsh show net rst-cause
Repeat connection using curl and look what reasons for reset are listed by previous command.
To be honest it's very basic setup I did hundreds of times before and never had issue. Very mysterious.
If you can, as last resort reboot F5 - to be honest more than once I have situation when something did not work but should - magically after reboot it started - especially on VE.
Piotr
