Forum Discussion
VS (forwarding layer 2) doesn't respond to syn from client
Hello Experts,
I am preparing for a project recently in which I need to deploy a forwarding layer 2 VS. The topology is quite sample as below:
client (win7): 10.128.20.99
pool: 10.128.20.11
As they're on the same subnet, I assign them to vlan100 (win7) and vlan 200 (pool) , in order to make traffic from win7 will go through ltm and then to pool member. The switch port facing LTM is set to 802.1q trunk.
The steps on LTM:
- create vlans for client and pool
- binding these 2 vlans to a vlan-group
- set a self ip 10.128.20.100 to vlan-group
- create a forwarding layer 2 VS, the destination IP is set to same as real pool member (10.128.20.11)
However the result is I can ping 10.128.20.11 via win7 but can not access to it via http. The arp table on WIN7 shows the MAC address is of LTM's tmm interface.
ping 10.128.20.11 -t
Pinging 10.128.20.11 with 32 bytes of data: Reply from 10.128.20.11: bytes=32 time=2ms TTL=255 Reply from 10.128.20.11: bytes=32 time=1ms TTL=255 Reply from 10.128.20.11: bytes=32 time=3ms TTL=255 Reply from 10.128.20.11: bytes=32 time=2ms TTL=255 Reply from 10.128.20.11: bytes=32 time=2ms TTL=255 Reply from 10.128.20.11: bytes=32 time=2ms TTL=255
Ping statistics for 10.128.20.11: Packets: Sent = 6, Received = 6, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 3ms, Average = 2ms
From tcpdump on LTM, I can see syn was re-transmitted multiple times to LTM, but LTM didn't respond to it... It looks like an issue on LTM side so far...
I also checked the /var/log/ltm but nothing shown there while the test. I would appreciated anyone can share some ideas in this case... I suspect it may be due to a common configuration issue as the test is actually quite sample... thanks a lot!
Here is my configuration snippet:
forwarding layer 2 vs:
ltm virtual /Common/f2 { destination /Common/10.128.20.11:80 ip-protocol tcp l2-forward mask 255.255.255.255 profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address enabled translate-port enabled }
vlan & vlan groups:
net vlan /Common/client-vlan { interfaces { 1.1 { tagged } } tag 100 } net vlan /Common/pool-vlan { interfaces { 1.1 { tagged } } tag 200 } net vlan-group /Common/vlan-group-1 { members { /Common/client-vlan /Common/pool-vlan }
self-ip:
net self /Common/vlan-group { address 10.128.20.199/24 allow-service all traffic-group /Common/traffic-group-local-only vlan /Common/vlan-group-1 }
Disable port and address translation. Let me know if that works.
- gbam_190768Cirrus
Disable port and address translation. Let me know if that works.
- zackAltostratusBrilliant answer! @gbamm! After turning these two variables off, my forwarding virtual server working like a charm. However i got 2 questions: 1. what are the 2 variable controlling? ( translate-address & translate-port ) I created the layer2 forwarding by using most of the default settings. The VE is also a brand-new instance, so if these 2 options needs to be off, I haven't seen any docs or kbs mentioned that... (I may miss some important docs...) 2. I am not sure whether these 2 variables can be adjusted in GUI? I did that in tmsh but want to make sure which field in GUI they're mapping to... Thanks again for saving my next few hours...
- gbam_190768CirrusWhen using a normal VS you want the F5 to change (translate) the destination IP to the destination node's IP (And port). In this case you didn't have one as you wanted the F5 to route it. They should both be under the VS config, advanced options somewhere. I don't have a working VE up right now otherwise I'd look but it's in the GUI.
- zackAltostratusI just double checked... When choosing VS type as "forwarding layer 2", these two options are masked... which mean nowhere can be set in GUI. ( VE 12.0.0 ) When tuning VS type to standard, these two options are shown in the GUI... Address Translation Port Translation I am not sure whether this is by design or a defect... but it is confusing people like me ( as a newbie) :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com