For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Price_485's avatar
James_Price_485
Icon for Nimbostratus rankNimbostratus
Jul 10, 2014

What happens to traffic sent to an ltm standby unit self ip address?

I need to test weather traffic will flow though and ltm unit that is in standby right now. It is version 10.2.4 1500 appliance Ive got a server behind the unit with its gateway point to the standby units self ip. I was wondering if a standby would even react to that traffic or how it would process it? I can't go active on this unit until a downtime several weeks away and was wondering weather testing could be done on the standby unit?

 

There is a snat setup on the ltm for the server that would handle the outgoing traffic.

 

Last time I made the standby active I could not reach outside networks. I could ping the gateway but dns would not work nor would ssh traffic go though. I got in this mess because I was trying to upgrade to 10.2.4 from 9.3.1. The path I took was from 9.3.1 to 10.0.0 to 10.2.4. Any ideas would be appreciated

 

application delivery
LTM

3 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 10, 2014

    a local self IP will respond in accordance with the allowed ports and protocols. A floating self IP will not respond on a standby because the active unit effectively "owns" that IP address and will arp on all requests for it.

     

    when you say you could not reach outside networks, was that in the immediacy of a failover, or did that behavior persist for more than a few minutes?

     

  • James_Price's avatar
    James_Price
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2014

    We never were able to reach the outside networks had to go back to the 9.3.1 unit.

     

    The self ip i connected to was not the floating ip. Heres the jist of what happened with my standby test. I could ping the gateway address or the self ip. tcpdumps revealed that the ssh session i used was actually redirected to the standby f5 so it went nowhere. I also tried an ssh session to the outside addresss from the standby unit and it went right though. Another thing i tried from the internal server was ssh to other internal servers and connections where taking 2min or more.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 10, 2014

    looks to me that either a) the BIG-IP didn't issue the gratuitous arp at failover or b) the server (your test client) didn't get it. Regarding point 1, if you don't have a self IP on the vlan where your virtual server is bound, a gratuitous arp is not issued ( see solution 11880 )