unable to ping VIP from server with the F5 as the DGW

Question

In our current setup, we have a cluster of servers that utilize the F5 load balancer as their default gateway. This load balancer operates as a high availability (HA) pair, with the default gateway set to the floating IP of the F5 device. Additionally, on this very same F5 load balancer, there exists another subnet hosting virtual IPs for other servers within the network, where the F5 is not configured as the default gateway.

The issue at hand is that the servers utilizing the F5 as their gateway are encountering difficulties in reaching the IP addresses within the other subnet on the same F5 device. Specifically, they are unable to establish connectivity via ping to either the virtual IPs or the self IPs of the devices located in the other subnet.

The VIPs in the 10.1.216.x network are reachable everywhere else.

ping 10.1.216.113

Pinging 10.1.216.113 with 32 bytes of data:
Request timed out.
Reply from 10.1.228.3: Destination host unreachable.
Request timed out.
Reply from 10.1.228.3: Destination host unreachable.

Ping statistics for 10.1.216.113:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

ping 10.1.216.10

Pinging 10.1.216.10 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 10.1.216.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ping 10.1.216.11

Pinging 10.1.216.11 with 32 bytes of data:
Reply from 10.1.216.11: bytes=32 time<1ms TTL=254
Reply from 10.1.216.11: bytes=32 time<1ms TTL=254
Reply from 10.1.216.11: bytes=32 time=1ms TTL=254

Ping statistics for 10.1.216.11:

ping 10.1.216.12

Pinging 10.1.216.12 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 10.1.216.12:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.1.228.27
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.228.1

Any sugestions?

tim_patrick · Accepted Answer

so if it was suggested and I&nbsp; didnt see it I&nbsp; apoligize. The fix for me was to go to the virtual server that I&nbsp; was trying to access from the host nework (10.1.228.x) which used the F5 as its gateway and add the VLAN to the VLAN and tunnels section. it only had the ext vlan present and when I&nbsp; created the new network and new vlan (int_vlan) I&nbsp; needed to add it to that in order for it to connect to the VIPS

paulius · Answer

Tim_Patrick Would you be able to provide either screencaptures or CLI output for the virtual servers (VS) in question? Sometimes a VS will not respond on a certain IP if you have it listening only on certain VLANS but without your configuration it makes it a bit difficult to figure out what your issue might be. As Mohamed_Ahmed_Kansoh mentioned, if you do not enable SNAT automap or SNAT pool list your traffic balancing to the servers in that segment that doesn't have the F5 as the default gateway will not work. You might receive a bit more helpful information for troubleshooting using a tcpdump for your traffic that you are generating. The nice thing about the tcpdump that Mohamed_Ahmed_Kansoh provided is when you open it in wireshark it will show you what VS you are bound to and what interfaces your traffic traverses from source to destination.

whisperer · Answer

You had the solution hidden in there 🙂" Sometimes a VS will not respond on a certain IP if you have it listening only on certain VLANS but without your configuration it makes it a bit difficult to figure out what your issue might be."Paulius&nbsp;

tim_patrick · Answer

Wtwiggs, thanks for the response,&nbsp; I&nbsp; have included a file with a summary and screenshots of what I&nbsp; am experiencing. I&nbsp; did double check the port lockdown and it is set to allow all

whisperer · Answer

You are probably running into asyn routing. So definitely look into VIP bounceback:

https://community.f5.com/t5/technical-forum/vip-bounceback/td-p/189691

Sounds like the destination servers may be tryin to get back to the sources servers locally, rather than going through the F5. SNAT automap on the VIPs may help here as well.

mohamed_ahmed_kansoh · Answer

Hi&nbsp;Tim_Patrick&nbsp;,&nbsp;First don't rely on Ping/ICMP in your test , as F5 Bigip will reply to your Ping/ICMP packets if the Server B UP and will not forward traffic to server B itself.I see you are trying to test reachability from Server A to Server B .&nbsp;also you mentioned that VIP subnet 10.1.216.X can be reached from elsewhere. ( please test this by taking TCPdump on your Active F5 Bigip unit ) that Server A can reach well to bigip.&nbsp;&gt;&gt; Second thing , you need to configure ( SNAT Auto map on Virtual server setting ( 10.1.216.113 ) ) as you said , Bigip is not the default gateway for Server B I guess.&nbsp;Make sure Bigip can reach to servers which hosted by this ( VIP = 10.1.216.113 ) Ping this server from F5 bigip itself . to identify more where the issue exists.&nbsp;Take this Pcap , and share the capture with me for further investigation if this available with you &gt;&gt;&nbsp;
tcpdump -nnnveti 0.0:nnnp host 10.1.228.27 -s0 -S -w /var/log/TEST_PCAP.pcap
Take it through F5 bigip bash while trying to access server B VIP.&nbsp;Please send your virtual server configuration as well to have a look.&nbsp;Thanks 🙂&nbsp;

Forum Discussion

unable to ping VIP from server with the F5 as the DGW

10 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

BIGIP unable to send tcp/udp packets to syslog servers

Unable to access GUI

F5-OS Rseries. Asking about Ping command

F5 Distributed Cloud Origin Server Subset Rules

Unable to update device cert