For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Mar 23, 2017

Unable to browse to the internet from F5 CLI

Hi There,

 

I am trying to setup F5 VE in ESXi host. Version of F5 VE I am using is VE 13.0. Issue that I am having right now is from F5 CLI I am unable to get out on the Internet i.e. unable to Telnet to say 8.8.8.8 443.

 

Error that I am getting is No host to route.

 

In my ESXi host I have standard vSwitch with two NIC public and private. I have assigned the right public to F5 external interface, created a default gateway and a selfIP with allowed port default. However I am still unable to get on the Internet from the F5.

 

Is there something I am missing?

 

Any help will be highly appreciated

 

Thanks

 

BIG-IP Access Policy Manager (APM)
devops
LTM

7 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Mar 23, 2017

    Have you configured route on the device ? Can you ping the 8.8.8.8 IP address ?

     

    • Sergi_Munyoz_24's avatar
      Sergi_Munyoz_24
      Icon for Nimbostratus rankNimbostratus
      Mar 28, 2017

      Hi. Never tried to use vlans on VE, don't know if supported why don't you start with a simple config ? Management on eth0, public on eth1 and a private network pn eth2 f.ex. ? After it works then you can add vlans and maybe question will be answered itself What I can give you is a sample routing table of my VE (simple deployment like previous example)

       

      Destination Gateway Genmask Flags Metric Ref Use Iface 127.1.1.0 * 255.255.255.0 U 0 0 0 tmm 192.168.112.0 * 255.255.255.0 U 0 0 0 internal 192.168.113.0 192.168.112.127 255.255.255.0 UG 0 0 0 internal 192.168.113.0 * 255.255.255.0 U 0 0 0 eth0 192.168.111.0 * 255.255.255.0 U 0 0 0 external 127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 * 255.255.0.0 U 0 0 0 tmm_bp default 192.168.111.127 0.0.0.0 UG 0 0 0 external default 192.168.113.183 0.0.0.0 UG 9 0 0 eth0

       

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 28, 2017

    Hi,

     

    In F5, Network adapters mapping is:

     

    • VMware Net Adapter 1 : F5 Mgmt
    • VMware Net Adapter 2 : F5 1.1
    • VMware Net Adapter 3 : F5 1.2
    • VMware Net Adapter 4 : F5 1.3

    In VMware, vlan tagging in VM is only supported is vSWITCH is defined with a VLAN ID 4095

     

    Look at this documentation:

     

    https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004252

     

    F5 VE does not support Trunks (link aggregation). this feature is only supported on hardware appliances.

     

  • Sergi_Munyoz_24's avatar
    Sergi_Munyoz_24
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2017

    create /net route 10.0.0.0/8 gw 10.xx.xx.193

     

    Maybe is a problem with mask... /8 seems to overlap with

     

    tmsh create net self Internal address 10.xx.xx.245/26

     

    Or directly a problem with vlans and interfaces as Stanislas says

     

    • mr_evil_116524's avatar
      mr_evil_116524
      Icon for Nimbostratus rankNimbostratus
      Mar 30, 2017

      Looks like I have manged to this working - Thanks to you all for your inputs, I am able to ping the Internal Private vlANs.

      Why did I have all these confusions? Unfortunately I am helping a site without much knowledge about the network (remotely helping out).

      Working config

      Start all over again after re-importing the OVF file, assigned right v NIC ( only have two physical nics, Private trunked at the router, Public nic ) MGMT, Internal and HA assigned with Private and External with public

      Assigned MGMT IP to the F5 VE

      GUI into F5 using MGMT IP, activate license and installed additional modules.

      Create vLANs as follows:

      vLAN_Private_1 assigned to int 1.1
vLAN_Private_2 assigned to int 1.1
vLAN_External_1 assigned to int 1.2
vLAN_Others_1 assigned to int 1.3 ----> technically this isn't in use

      Create selfIP for Private vLANs

      vLAN_Private_1_selfIP 10.xxx.xxx.66/27 vLAN_Private_1 port lockdown default
vLAN_Private_2_selfIP 10.xxx.xxx.226/27 vLAN_Private_2 port lockdown default
vLAN_External_2_selfIP xxx.xxx.xxx.124/28 vLAN_Extrenal_1 port lockdown none

      At this point I am able to ping vLAN_Private_1 and vLAN_Private_2 from F5 CLI

      Create VIPs for internal network to get to vLAN_Private_1 and vLAN_Private_2 - this is important to have else wont be able to ping from outside F5 into F5, and this will also allow to get to f5 MGMT portal

      Internal_traffic_1 

      src 10.0.0.0/8 dst 10.xxx.xxx.64/27 enable vlan vLAN_Private_1

      Internal_traffic_2 

      src 10.0.0.0/8 dst 10.xxx.xxx.224/27 enable vlan vLAN_Private_2

      At this point I was able to ping 10.xxx.xxx.66 and 10.xxx.xxx.226 from MGMT network i.e. 10.xxx.xxx.218 - self_ip for each private vLANs, I also did a TCP dump to make sure that the traffic is getting into F5 from 10.xxx.xxx.218

      Now moving into external traffic out from F5

      Create default route 

      External_route src 0.0.0.0 mask 0.0.0.0 gw xxx.xxx.xxx.113

      At this point I have tried to ping the GW xxx.xxx.xxx.113 - I am unable to do so.

      Does anyone know how to resolve this?

      Thanks,