Forum Discussion

Tim_Patrick's avatar
Tim_Patrick
Icon for Altostratus rankAltostratus
Jun 28, 2023

unable to ping VIP from server with the F5 as the DGW

In our current setup, we have a cluster of servers that utilize the F5 load balancer as their default gateway. This load balancer operates as a high availability (HA) pair, with the default gateway s...
application delivery
  • Tim_Patrick's avatar
    Tim_Patrick
    Jul 07, 2023

    so if it was suggested and I  didnt see it I  apoligize. The fix for me was to go to the virtual server that I  was trying to access from the host nework (10.1.228.x) which used the F5 as its gateway and add the VLAN to the VLAN and tunnels section. it only had the ext vlan present and when I  created the new network and new vlan (int_vlan) I  needed to add it to that in order for it to connect to the VIPS

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Jun 28, 2023

Hi Tim_Patrick , 
First don't rely on Ping/ICMP in your test , as F5 Bigip will reply to your Ping/ICMP packets if the Server B UP and will not forward traffic to server B itself.

I see you are trying to test reachability from Server A to Server B . 
also you mentioned that VIP subnet 10.1.216.X can be reached from elsewhere. ( please test this by taking TCPdump on your Active F5 Bigip unit ) that Server A can reach well to bigip. 

>> Second thing , you need to configure ( SNAT Auto map on Virtual server setting ( 10.1.216.113 ) ) as you said , Bigip is not the default gateway for Server B I guess. 
Make sure Bigip can reach to servers which hosted by this ( VIP = 10.1.216.113 ) Ping this server from F5 bigip itself . to identify more where the issue exists. 

Take this Pcap , and share the capture with me for further investigation if this available with you >> 

tcpdump -nnnveti 0.0:nnnp host 10.1.228.27 -s0 -S -w /var/log/TEST_PCAP.pcap

Take it through F5 bigip bash while trying to access server B VIP. 
Please send your virtual server configuration as well to have a look. 

Thanks 🙂 

  • Tim_Patrick's avatar
    Tim_Patrick
    Icon for Altostratus rankAltostratus
    Jun 29, 2023

     

    Mohamed, thanks for the reply.
    To clarify the VIP 10.1.216.113 can be accessed across all networks in our environment except for 10.1.228.x which sits behind the F5, the same F5 that is hosting the 10.1.216.x network
     
     
     

    you need to configure ( SNAT Auto map on Virtual server setting ( 10.1.216.113 ) )  Automap is configured for this VIP and all VIPS in the 10.1.216.x network(VIP range)

    devices in the 10.1.228.x network are unable to access devices in the 10.1.216.x range. The F5 is the default gateway.

    so for the traffic flow, when ServerA sends the traffic 10.1.216.113 it will got the F5, the same F5 where the VIP resides. The VIP is configured with Automap so when the servers in the VIP pool respnd it shoud go back through the F5 and not out an external router 

    The F5 itself can ping the server from the 10.1.228.3 address

    config # ping -I 10.1.228.3 10.1.216.113

    PING 10.1.216.113 (10.1.216.113) from 10.1.228.3 : 56(84) bytes of data.

    64 bytes from 10.1.216.113: icmp_seq=1 ttl=255 time=0.197 ms

    64 bytes from 10.1.216.113: icmp_seq=2 ttl=255 time=0.285 ms

    but other devices in that same network are unable to access any network services in the 10.1.216.x network. They are able to access everything on the network out side of 10.1.216.x

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Jun 29, 2023

      Tim_Patrick Would you be able to provide either screencaptures or CLI output for the virtual servers (VS) in question? Sometimes a VS will not respond on a certain IP if you have it listening only on certain VLANS but without your configuration it makes it a bit difficult to figure out what your issue might be. As Mohamed_Ahmed_Kansoh mentioned, if you do not enable SNAT automap or SNAT pool list your traffic balancing to the servers in that segment that doesn't have the F5 as the default gateway will not work. You might receive a bit more helpful information for troubleshooting using a tcpdump for your traffic that you are generating. The nice thing about the tcpdump that Mohamed_Ahmed_Kansoh provided is when you open it in wireshark it will show you what VS you are bound to and what interfaces your traffic traverses from source to destination.

      • whisperer's avatar
        whisperer
        Icon for MVP rankMVP
        Jul 07, 2023

        You had the solution hidden in there 🙂

        " Sometimes a VS will not respond on a certain IP if you have it listening only on certain VLANS but without your configuration it makes it a bit difficult to figure out what your issue might be."

        Paulius 

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Jun 29, 2023

      Hi Tim_Patrick , 

      Don't try the ICMP from Server A to VIP 10.1.216.113 , because f5 bigip will reply and won't forward icmp traffic to server B. 

      What is the service of Server B ? HTTP , FTP , .... 

      Like Paulius said >>> we need to see the VIP configuration as well as try to share with us the TCPdump output to see the flow of the traffic while testing the connection from server A to B , and try to use Telnet , not Ping/ICMP protocol. 

      Paulius  said good hint , the allowed Vlans in the virtual server >> check it or change it to ( Enabled in ALL Vlans ) as a troublrshooting step till you put the correct VLAN which this VIP should listen.