Forum Discussion

chris_connell_1's avatar
chris_connell_1
Icon for Nimbostratus rankNimbostratus
Aug 23, 2011

Virtual server not getting hits, irules not processed.

 

 

Hi

 

I have the following virtual servers:

 

 

 

VIRTUAL ip:port |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up--

 

1.2.3.5:fud 0 0 0 0 0 0 16

 

none:webcache 0 0 0 0 0 0 16

 

none:https 0 0 0 0 0 0 16

 

none:http 0 0 0 0 0 0 16

 

none:imap 0 0 0 0 0 0 16

 

none:pop3 0 0 0 0 0 0 16

 

none:smtp 0 0 0 0 0 0 16

 

172.27.179.245:any 0 0 0 0 0 0 2

 

 

 

The 172.27.179.45 is not getting any hits at all even though a ping shows requests are coming in and the address is replying:

 

 

 

[root@cmansfieldf51102:Active] log tcpdump -i 0.0 host 172.27.179.245

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

 

17:54:07.053422 IP 172.27.179.51 > 172.27.179.245: ICMP echo request, id 16, seq 0, length 44

 

17:54:07.053430 IP 172.27.179.245 > 172.27.179.51: ICMP echo reply, id 16, seq 0, length 44

 

 

 

 

I have this irule on the virtual server:

 

 

 

when CLIENT_ACCEPTED {

 

log local0. "The IP Protocol is [IP::protocol]"

 

}

 

 

 

 

But nothing is logged.

 

 

 

I have identical config on another F5 (except for IP addresses) and its working.

 

 

 

Also I noticed when the virtual server is defined with a network address:

 

 

 

172.27.179.240 / 255.255.255.248 it does not reply when it should do, only when its configured as a host virtual server it replies, but still bigtop reports no stats and the irules do not fire.

 

 

 

I tried exporting/importing the config and bigstart restart but no change.

 

 

 

Any ideas?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7 Replies

  • If you define a network virtual server, ARP is disabled by default as you are typically using the virtual server to forward traffic and do not want LTM answering ARP for the range.

     

     

    What are you trying to do with the virtual server? If you want to accept traffic for 172.27.179.240 as a host, you should either add a new virtual server of 172.27.179.240 as a host or change the existing virtual server to a host.

     

     

    Aaron
  • Thanks Aaron.

     

     

    I have it defined as a host with specifically the IP:

     

     

     

    172.27.179.245

     

     

     

    I see icmps to this virtual server host IP.

     

     

     

    Bigtop stats show zero requests though and irules are not processed.

     

     

     

     

     

     

     

  • Can you post the anonymized output from 'b virtual VS_NAME list' and 'b virtual address 1.1.1.1 show' updating VS_NAME and 1.1.1.1 to your virtual server name and IP?

     

     

    Thanks, Aaron
  • sure here it is:

     

     

     

    virtual my_server {

     

    snat automap

     

    pool ingress

     

    destination 1.1.1.1:any

     

    rules log_irule

     

    vlans vlan_South enable

     

    }

     

     

     

     

     

    b virtual my_server show

     

    VIRTUAL ADDRESS 1.1.1.1 UNIT 1

     

    | ARP enable

     

    | (cur, max, limit, tot) = (0, 0, 0, 0)

     

    | (pkts,bits) in = (0, 0), out = (0, 0)

     

    +-> VIRTUAL my_server SERVICE any

     

    | PVA acceleration none

     

    | (cur, max, limit, tot) = (0, 0, 0, 0)

     

    | (pkts,bits) in = (0, 0), out = (0, 0)

     

    | requests (total) = 0

     

    +-> RULE log_irule

     

    +-> CLIENT_ACCEPTED 0 total 0 fail 0 abort

     

    +-> POOL ingress LB METHOD round robin MIN/CUR ACTIVE MEMBERS 0/1

     

    | (cur, max, limit, tot) = (0, 0, 0, 0)

     

    | (pkts,bits) in = (0, 0), out = (0, 0)

     

    +-> POOL MEMBER pool-csm-ingress/172.8.2.4:any active,up

     

    | | session enabled priority 0 ratio 1

     

    | | (cur, max, limit, tot) = (0, 0, 0, 0)

     

    | | (pkts,bits) in = (0, 0), out = (0, 0)

     

    | | requests (total) = 0

     

    +-> POOL MEMBER pool-csm-ingress/172.8.2.7:any inactive,down

     

    | session enabled priority 0 ratio 1

     

    | (cur, max, limit, tot) = (0, 0, 0, 0)

     

    | (pkts,bits) in = (0, 0), out = (0, 0)

     

    | requests (total) = 0

     

     

     

  • What protocol(s) are you trying to allow through?

     

     

    Are you testing from a client on the vlan_South vlan? Can you try testing with curl (assuming this is HTTP)? Or netcat if it's a generic TCP app:

     

     

    curl -v http://1.1.1.1/

     

     

    nc 1.1.1.1 PORT

     

     

    Aaron
  • We are passing icmp through, basically its an icmp healthcheck which is forwarded to 2 servers.

     

     

    I tried also making the virutal server more specific by putting "1" in the 'other' field instead of any.

     

     

     

     

  • sorry to answer your question, there are continous pings coming in on the vlan_south vlan to the virtual server IP, these are coming from a probe address.