Forum Discussion
NimbostratusVirtual Server IP address on F5 not accessible outside of the F5 itself???
I have two Lab F5 running in AWS as prototype lab. The 1st F5 which I am calling the external F5 currently can route http to an inner web server which goes through to a app server and I have this setup up for a couple of applications/services. Now I have built the 2nd F5 as an internal F5, so this internal F5 I am looking to use as an internal load balancer for app traffic. I have set up virtual servers and monitors which all work ok on this F5 outbound to the app layer. The issue I have is that the virtual server IP addresses I have defined are NOT accessible outside of this internal F5?? I have several subnets setup within AWS and the internal F5 has an interface on a subnet for incoming traffic from the external F5 (10.0.6.x) and an interface on the application subnet (10.0.2.x). So for example, the external i/f is 10.0.6.222 for the internal F5, I defined a virt server on this F5 at 10.0.6.224 which connects up to a back end app server (say 10.0.2.118) ok - i.e. i have a monitor associated to the pool member for this vs which is GREEN. Yet on another server on the SAME 10.0.6.x subnet I can't ping the 10.0.6.224 ... but I can the 10.0.6.222 address. From the external F5 I also can ping the 10.0.6.222 address but not the 10.0.6.224... ?!?!? There must be something obvious which is causing this but I can't for the life of me figure out what? The external F5 has a similar setup yet I can ping the ip addresses of the virtual servers defined on this F5 ok... Both F5s are running Version 11.5.4 Any suggestions of where to look for resolving this??? Many thanks Neil
10 Replies
patleen79_29842hi,
you have to use automap or snat_pool
regards Pat
- Kevin_Davies_40
Nacreous
Probably help if you added a diagram. Without topology its a bit difficult.
- Kevin_Davies_40
You said the internal virtuals servers all work fine outbound to the app layer. Does this mean they are listening on the internal interface? If thats the case then they would not be accessible from the external network. A topology diagram and tmsh list ltm virtual would be useful.
- patleen79_29842
and can you ping the server FROM the F5 ?
Ashish_ChakravaPlease paste the topology so it will be easy for everyone.
Neil_MarksSee the comment to the answer below... topology diagram included...
- Neil_Marks
Ok - so further investigation has highlighted where the problem lies I think. The web server has a n/w interface on the 10.0.6.x subnet... and this web server has some additional virtual ip addresses which it manages. What appears to have occurred is that at ARP layer - the servers existing servers on the 10.0.6.x subnet attempt to route traffic for the 10.0.6.224 address to the n/w interface on the web server - this is seen by looking at the ARP output on each of the servers... only the internal F5 shows the mac address of the interface on the F5???
Next question is to be understand why this scenario is happening...
- patleen79_29842
so,
please check L2 switch port and mac address table ! please check L3 router and arp table. do you have port lockdown on any port of F5 ?
and try a tcpdump : tcpdump -e -A -s 500 -i any arp
- Neil_Marks
Well it turns out I missed a step in the internal LTM setup - adding the virtual ip address to the required network interface via the AWS console! DOH... Issue resolved.
- Neil_Marks
Don't forget to add the vip at the n/w interface via the AWS console!!!
