So I have a public range - lets say 192.168.10.0/24
I am use 172.16.10.0/24 as the network between my firewall and my F5.
so traffic from the internet destined for 192.168.10.250 goes to the firewall - its public interface is 192.168.10.0/24. it has a static route to 172.16.10.250.
so my 2 F5's (f5-1 & f5-2) have
f5-1
vlan 10
172.16.10.10/24
f5-2
vlan 10
172.16.10.11/24
they share a FIP
172.16.10.250
they both have a vs configured for destination address 192.168.10.250.
and this works, but I have 2 issue/questions
1) does the destination address need to be a self ip address - and if so why is it working !
2) I can't fail it over - works when i reboot the F5, but when i try to put into standby mode 😞 nothing
1) does the destination address need to be a self ip address - and if so why is it working !
No, Any IP address in that range should do the trick, as long as the firewall knows where to route the traffic to.
In fact, in most cases you would purposefully NOT use a SelfIP for the VS IP as it may start to clash between management and traffic functions.
2) I can't fail it over - works when i reboot the F5, but when i try to put into standby mode 😞 nothing
Hmm, that SHOULD work, so there may be something else going on. Would need to know a lot more about the environment, but here are a few things that I'd check;
Are you using MAC Masquerading? If so, check that you hypervisor is not too strict and blocking things off.
If NOT using MAC masquerading, check that your firewall is correctly receiving MAC updates (so that the traffic needs to point to the new active member)
Do a TCPdump to see where the traffic ends up after the failover, and work out how the traffic flows through the system.
Confirm that the VS-IP was indeed on a floating self IP, rather than a non-floating self ip.
