For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rabid_gerbil_26's avatar
rabid_gerbil_26
Icon for Cirrus rankCirrus
Sep 16, 2016

What interface does the monitoring flow through?

I have a VE F5 v11.6 with LTM and I've created my VS, Pool, and Nodes with ICMP as my default monitor. As long as I don't use any other monitoring (http, https, tcp...) on my pools, everything works correctly however I don't see the status of the pools and VS because they show "unknown" due to no health monitoring. If I add any type of monitoring feature to my pool, the pool and VS flag as the red diamond and traffic stops. I started to look into any possible problems and found that the ICMP traffic from the nodes default monitor was being sent through my Management network and not through the traffic interface that I have setup for the F5. Does all of the monitoring features use the Management interface? I find this odd that the F5 wouldn't use the same interface that is sending the traffic from the clients to the nodes for it's monitoring... If the Management interface is the monitoring interface, can I change it? We have our network heavily locked down, and changing which interface the monitor uses to track the status of the pools would be easier than adding ACLs for all of the nodes through the FW. Any assistance would be greatly appreciated, Thanks

 

application delivery
BIG-IP
LTM

3 Replies

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Sep 16, 2016

    Hi,

    If the monitor is using the mgmt gateway, your traffic will fail even if the monitor state is up. You must create a route to TMOS reach the node via traffic interface/vlan. (e.g. Create route in menu: Network > Routes) If necessary, you can create a default route (0.0.0.0/0) to the traffic gateway and by default, it will have lower metric than default route management, so the traffic will use it out instead of default mgmt. Considers that the Big-IP uses the SelfIP to monitor and FloatIP to flow the traffic (if you SNAT). If you don't have a FloatIP, everything must flow from the SelfIP.

    You can test the route from the shell: e.g.

    [root@bigiplab:Active:Standalone] config  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
127.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 tmm
127.2.0.0       0.0.0.0         255.255.255.0   U     0      0        0 mgmt.1
172.20.16.0     0.0.0.0         255.255.252.0   U     0      0        0 mgmt
10.10.10.0   0.0.0.0         255.255.255.0   U     0      0        0 internal_vlan
127.7.0.0       127.1.1.253     255.255.0.0     UG    0      0        0 tmm
127.20.0.0      0.0.0.0         255.255.0.0     U     0      0        0 tmm_bp
0.0.0.0         10.10.10.1.1   0.0.0.0         UG    0      0        0 internal_vlan
0.0.0.0         172.20.16.110   0.0.0.0         UG    9      0        0 mgmt
[root@bigiplab:Active:Standalone] config  ip route get 20.10.10.1
20.10.10.1 via 10.10.10.1 dev internal_vlan  src 10.10.10.10
    cache  mtu 1500 advmss 1460 hoplimit 64

    Regards.

  • rabid_gerbil_26's avatar
    rabid_gerbil_26
    Icon for Cirrus rankCirrus
    Sep 19, 2016

    I figured out the problem, well at least I know why the wrong default gateway was being used. For whatever reason, the default gateway I created initially never actually updated the F5 configurations. I made a change the default gateway in the Network > Route GUI and after I press updated, the F5 started to send traffic out the Internal VLAN instead of the Management VLAN. This is all working as expected now. @cjunior Thank you very much for all of you assistance. When I ran the route -n command now, I get the 10.21.6.0 network as my default gateway not my 10.2.1.0 network.

     

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous
      Sep 19, 2016

      Nice, I'm just trying to help friends. Good luck!