Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Can a floating IP be the next hop for routing?

Go to solution
young19918
Altocumulus
Altocumulus

‎23-May-2023 07:16

Hello,

Recently tried using HA in Route mode.
Here is my structure :

young19918_0-1684851051459.png

I thought floating ip can be the next hop of Route.
So I set the next hop in Client Route as 1.1.1.3 & Switch's is 2.2.2.3.

However, when I browse VIP, I find that I can't pass...
Can a floating IP be the next hop for routing?
If not, how should I set ...

Any Help is appreciate.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Paulius
MVP
MVP
In response to young19918

‎23-May-2023 20:25

@young19918 

So from client 1.1.1.4 you are attempting to reach server on 3.3.3.1 on tcp/80 or possibly tcp/443? If your routing is in place and you can indeed ping 3.3.3.1 from 1.1.1.4 and the other way around then it could be your forwarding virtual server that is not allowing the traffic to pass through the F5. You should be able to perform a tcpdump on the active F5 of the following and see where the traffic is going.

tcpdump -nni 0.0:nnp host <source_IP> and port <destination_port>

tcpdump -nni 0.0:nnp host 1.1.1.4 and port 80

In your topology I would make the switch an L2 switch for the VLAN that sits behind the F5s and have the F5s and server be in subnet 2.2.2.0/24 with the gateway for the server being 2.2.2.3. If forcing the switch to be in routed servse another purpose for you then keep it but if not I wouldn't do it because it adds unneeded complexity without much benefit. If your intent is to be able to manage the switch by an IP you can always IP it from that same 2.2.2.0/24 subnet and reach it.

View solution in original post

4 REPLIES 4

Go to solution
Paulius
MVP
MVP

‎23-May-2023 08:53

@young19918 When the F5s are in routed mode and you have a floating IP configured for either HA or standalone it should absolutely be the destination for the next hop for networks on the apposing side of the F5. If you are not able to route traffic from one side of the F5 to the other it's most likely that your forwarding virtual server is not configured properly to accept and pass all traffic from one side to the other on the F5. The following is what I have configured for my lab device.

ltm virtual VS_FORWARDING_ALL {
    description "Catchall Forwarding VS"
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}

 

Go to solution
young19918
Altocumulus
Altocumulus
In response to Paulius

‎23-May-2023 17:09

Hi @Paulius ,

Thanks for your reply.

After setting it up, Client and Server can ping each other
But the Client cannot browse to the server through VIP, I tried to browse the Server directly without VIP, but it also failed ......

0 Kudos

Go to solution
Paulius
MVP
MVP
In response to young19918

‎23-May-2023 20:25

@young19918 

So from client 1.1.1.4 you are attempting to reach server on 3.3.3.1 on tcp/80 or possibly tcp/443? If your routing is in place and you can indeed ping 3.3.3.1 from 1.1.1.4 and the other way around then it could be your forwarding virtual server that is not allowing the traffic to pass through the F5. You should be able to perform a tcpdump on the active F5 of the following and see where the traffic is going.

tcpdump -nni 0.0:nnp host <source_IP> and port <destination_port>

tcpdump -nni 0.0:nnp host 1.1.1.4 and port 80

In your topology I would make the switch an L2 switch for the VLAN that sits behind the F5s and have the F5s and server be in subnet 2.2.2.0/24 with the gateway for the server being 2.2.2.3. If forcing the switch to be in routed servse another purpose for you then keep it but if not I wouldn't do it because it adds unneeded complexity without much benefit. If your intent is to be able to manage the switch by an IP you can always IP it from that same 2.2.2.0/24 subnet and reach it.

Go to solution
young19918
Altocumulus
Altocumulus
In response to Paulius

‎24-May-2023 00:30

@Paulius ,

Thanks for your help.

I have already fix it.

0 Kudos
Copyright © 2023 Khoros, LLC