For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jsilverius_2370's avatar
jsilverius_2370
Icon for Nimbostratus rankNimbostratus
Dec 03, 2015

Unable to ping VIP from outside, but can ping it form F5

Hello, Let me start with saying this is my first time with F5 and I have very limited knowledge of networking too (yeah.. double whammy). So please help me with this (mostly likely) simple issue.

 

Here is my environment

 

I have a F5 virtual machine on ESX (version 11.3.0.39).

 

The management IP is using DHCP and it is set to 10.67.1.38. I can access the console with this IP from my laptop. No issues here. Virtual machine has 4 network adapters. All are VMXNET 3.

 

I have two vlans configured (internal -1.2 and external -1.1). I have two selfips configured - Internal - 10.1.1.1 and external - 12.1.1.1

 

I have a load balancing (or standard) VIP setup at 12.1.1.2 and it is on pool ccjboss (bigip.conf below). All the indicators are green. F5 can ping/connect to the nodes. Nodes can ping the F5's selfips (10.1.1.1 and 12.1.1.1). I can ping the VIP (12.1.1.2) from the F5, but not from anywhere else. I can't VIP from my laptop, but I can ping 12.1.1.1 (same network). I can't ping the VIP from the nodes (but can ping 12.1.1.1). I tried to enable SNAT to automap, but that did not help either.

 

Any help will be great.

 

My bigip.conf

 

 

application delivery
BIG-IP

3 Replies

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Dec 03, 2015

    Hi, As a first diagnostic step, a tcpdump can help you see what is happening to your ping packets. Assuming that your laptop is in the 'external' vlan then in F5 run the following while pinging from your laptop:

    tcpdump -nni external icmp

    You should see packets in and out when the ping is OK

  • jsilverius_2370's avatar
    jsilverius_2370
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2015

    Hi Amine, Thanks for your response. tcpdump for external did not produce any traffic. I did the same tcpdump for eth0 (the management adapter. This is used as gateway) and I can see responses. Looks like F5 is receiving the ping request but not responding back for 12.1.1.2. It is responding back to 12.1.1.1 (one of the self-ip). I also validated that ICMP is enabled for 12.1.1.2.

     

    10.67.1.38 is the mgmt IP

     

    10.67.3.55 is the my laptop

     

    12.1.1.2 is the VIP

     

    10.67.1.43 is node1

     

    10.67.1.45 is node2

     

    (You also can see F5 is pinging node1 and node2 for health check).

     

    Tcpdump response -

     

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Dec 03, 2015

    Oh, there is some errors I didn't notice before:

     

    • Your nodes must reside in a different vlan than your mgmt interface, because this interface is dedicated to mgmt, it cannot handle tmm traffic, although monitoring nodes can use it but this is not recommended.
    • The mgmt interface should not be used as a gateway for your network.

    To simplify, you should refine your configuration as follows (assuming you are using a two sides vlans, internal + external):

     

    1. Move your nodes to the internal vlan
    2. Test from a device coming from the the external vlan.
    3. Dedicate mgmt interface to management only.
    4. Share the result :)