Forum Discussion
Tim_Patrick
Altostratus
Altostratusunable to ping VIP from server with the F5 as the DGW
In our current setup, we have a cluster of servers that utilize the F5 load balancer as their default gateway. This load balancer operates as a high availability (HA) pair, with the default gateway s...
so if it was suggested and I didnt see it I apoligize. The fix for me was to go to the virtual server that I was trying to access from the host nework (10.1.228.x) which used the F5 as its gateway and add the VLAN to the VLAN and tunnels section. it only had the ext vlan present and when I created the new network and new vlan (int_vlan) I needed to add it to that in order for it to connect to the VIPS
wtwiggs
Altocumulus
Altocumulushi Tim_Patrick do you have a forwarding (layer 3) virtual server configured? if you do, can you share details of that configuration?
if you do not, then this could be a factor. if you need some additional background on setting up a forwarding virtual server then this is a good reference:
https://packetpushers.net/stateless-routing-f5-ltm/
also, check if your protocol is set to "all protocols" and not just tcp or udp on the forwarding vservers. this will prevent icmp (ping) packets from getting thru if not set to all protocols.
besides using SNAT (auto map is one option, or you can create a SNAT pool), you might also consider leaving SNAT off for this "routed" traffic and create a return route (either static route on the 10.1.216.113 server, with a gateway of 10.1.216.10 for the 10.1.228.0/24 network... or if you have the option to set the route on a router that the 10.1.216.x network is using?)... you could still use SNAT on virtual servers handling specific traffic that you are reverse proxying or load balancing, but for traffic that is "routing" thru the F5 you might find it easier (long term) preserve real IP thru the device.
we are extensively using "inline" F5's where it is either the default gateway (floating self IP as you are) or using the zebos routing with OSPF or BGP to establish the routes, and forwarding virtual servers (without SNAT)... this is on i5800 hardware with 10G and 40G interfaces... acting as a "stateless" router for all traffic, and specific services load balacned / reverse proxied... so the concept you are trying to accomplish is definitely do-able... just may need to ensure your F5 is ready to forward the packets (needs a "listener" aka forwarding virtual server) and routes (direct/connected, or static or dynamic, etc) and then even ICMP will pass thru without issue.
please share more details on your configuration, route tables, etc. and we should be able to get it working!
wtwiggsAltocumulus
Altocumulussorry I just reread your issue and my first response may not be on point... if I understand (more) correctly... it is just the VIPs and self IPs that you cannot ping?
is it just from the 10.1.228.x network that you cannot ping those 10.1.216.x VIP/selfIP? can you ping them from the 10.1.216.x network?
have you checked "Port Lockdown" on the self IP address properties (possibly set to default of "Allow None" and if so does "Allow All" work)?
and have you checked the VLAN(s) the VIPs are listening on?
here is a related possibility:
https://my.f5.com/manage/s/article/K3475
and a "forwarding (layer 3)" virtual server may still be needed, if not in place, so that the ping packets will "forward" thru from the interface acting as the gateway to the other interface(s) where the far end self IP or VIP is listening...
hopefully some of this helps... please provide some additional configuration details, as we do have similar in place and working so I think we can get it working.
Tim_PatrickWtwiggs, thanks for the response, I have included a file with a summary and screenshots of what I am experiencing. I did double check the port lockdown and it is set to allow all