Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Can a floating IP be the next hop for routing?

young19918
Altocumulus
Altocumulus

Hello,

Recently tried using HA in Route mode.
Here is my structure :

young19918_0-1684851051459.png

I thought floating ip can be the next hop of Route.
So I set the next hop in Client Route as 1.1.1.3 & Switch's is 2.2.2.3.

However, when I browse VIP, I find that I can't pass...
Can a floating IP be the next hop for routing?
If not, how should I set ...

Any Help is appreciate.

1 ACCEPTED SOLUTION

@young19918 

So from client 1.1.1.4 you are attempting to reach server on 3.3.3.1 on tcp/80 or possibly tcp/443? If your routing is in place and you can indeed ping 3.3.3.1 from 1.1.1.4 and the other way around then it could be your forwarding virtual server that is not allowing the traffic to pass through the F5. You should be able to perform a tcpdump on the active F5 of the following and see where the traffic is going.

tcpdump -nni 0.0:nnp host <source_IP> and port <destination_port>

tcpdump -nni 0.0:nnp host 1.1.1.4 and port 80

In your topology I would make the switch an L2 switch for the VLAN that sits behind the F5s and have the F5s and server be in subnet 2.2.2.0/24 with the gateway for the server being 2.2.2.3. If forcing the switch to be in routed servse another purpose for you then keep it but if not I wouldn't do it because it adds unneeded complexity without much benefit. If your intent is to be able to manage the switch by an IP you can always IP it from that same 2.2.2.0/24 subnet and reach it.

View solution in original post

4 REPLIES 4

Paulius
MVP
MVP

@young19918 When the F5s are in routed mode and you have a floating IP configured for either HA or standalone it should absolutely be the destination for the next hop for networks on the apposing side of the F5. If you are not able to route traffic from one side of the F5 to the other it's most likely that your forwarding virtual server is not configured properly to accept and pass all traffic from one side to the other on the F5. The following is what I have configured for my lab device.

ltm virtual VS_FORWARDING_ALL {
    description "Catchall Forwarding VS"
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}

 

Hi @Paulius ,

Thanks for your reply.

After setting it up, Client and Server can ping each other
But the Client cannot browse to the server through VIP, I tried to browse the Server directly without VIP, but it also failed ......

@young19918 

So from client 1.1.1.4 you are attempting to reach server on 3.3.3.1 on tcp/80 or possibly tcp/443? If your routing is in place and you can indeed ping 3.3.3.1 from 1.1.1.4 and the other way around then it could be your forwarding virtual server that is not allowing the traffic to pass through the F5. You should be able to perform a tcpdump on the active F5 of the following and see where the traffic is going.

tcpdump -nni 0.0:nnp host <source_IP> and port <destination_port>

tcpdump -nni 0.0:nnp host 1.1.1.4 and port 80

In your topology I would make the switch an L2 switch for the VLAN that sits behind the F5s and have the F5s and server be in subnet 2.2.2.0/24 with the gateway for the server being 2.2.2.3. If forcing the switch to be in routed servse another purpose for you then keep it but if not I wouldn't do it because it adds unneeded complexity without much benefit. If your intent is to be able to manage the switch by an IP you can always IP it from that same 2.2.2.0/24 subnet and reach it.

@Paulius ,

Thanks for your help.

I have already fix it.