Hi @davidy2001 ,

well , 
> firstly, From outside user perspective , the destination IP is the " Virtual server = 10.0.30.245" Not The internal Node ip , even users do not know about the node ip. 
- The " Virtual server = 10.0.30.245" speaks instead of internal node , all of user knowledge ends up to the

 " Virtual server = 10.0.30.245" and they can not know what behind the Big-ip from Real servers " internal nodes ". 
- The Process of Destination Nat is a process related to F5 Big-ip which do it without knowledge of users , as it converts  " Virtual server = 10.0.30.245" IP to " Internal node ip ".

> Secondly , you Though that the External Floating IP address is the Virtual server address.
well , Floating IP exists only if you deploy a High availability "HA" Clustering between two Appliances of F5 Bigip. 
-The External Floating ip acts as the self IP address which you create for the standalone system.

- External Floating ip maintains the reachability of your system and the peer device on network " Switchs , Routers , Firewalls " , This IP is related to Active and Standby units , but it is owned by Active unit until is become done or a hardware failure happens to it , if this failure happen , this IP will move and owned by the standby unit as it will become the Active unit in this Case.

- External Floating IP address is not included in user traffic ip packets.

- External Floating IP in " HA " Clustering is same as self ip in Standalone unit , it used in Layer 2 Arp packets , and the peer device" Layer 3 Switch , Router , Firwall "  to F5  uses it as a next hop to forward traffic to F5. 

- Without Creating Floating IP address , you will loose reachabilty with F5 outside network peers. 
- Floating ip address is called " Virtual IP address " in other Vendors , I think it confuses you because of its        name.
- But , Virtual server is the main speaker instead of internal nodes , and it must be included in the IP layes 3 Packets between users and F5. 

- Virtual server is the most important component in F5 Big-ip it contains a massive configuration Features adminstrators can do it.

>Note , Virtual IP and Floating ip can have the same IP address , but this is a bad network design and not deployed in almost network architectures. 

I hope that helps you. 
Ty and Regards 

@davidy2001In order to answer this correctly we need a bit more information on what your pool is configured as for your Virtual Server in your first comment. If your object is to allow traffic to pass from External to Internal and Internal to External for just routed traffic you do not need to configure a specific pool and you just need a wildcard virtual server listening on the External and Internal VLANs or all VLANs. You can also use something similar to the wildcard virtual servers in this article.

https://support.f5.com/csp/article/K7595

If you intend to pass ICMP traffic only to those specific destination routers you will need to create a pool that has those two router IPs in it and some other adjustments to the virtual server. I do not recommend setting up a virtual server for the purpose to only ping between 3725-1 and 3725-2 or 3725-3 and just use the wildcard virtual server. When a BIG-IP is deployed in routed mode and it sits in path you will almost always want to configure a wildcard virtual server otherwise routed traffic that doesn't match any other virtual server will be dropped.

Hi @davidy2001 , 
well ,

> you do not see the ICMP packet in internal nodes " 2 routers (2725-2 , 2725-3 ) " because F5 appliance itself responds to icmp packets and never let it pass to your routers in the orther side , this is the default behavior of F5 system. 

in this Case we need to change some configuration over the virtual server it self , and make F5 to not take any action or responds to Ping packets. 

 > Firstly , Configure your virtual serevr " ping-vs" as below : 

you can let its type as standard or performance layer 4 , but I prefer performance layer 4 because there is no need to make it standard. 

> After that , go to ( local traffic > on virtual server Tab , Choose virtual address list > select your Virtual server which behind it your routers " 10.0.30.254 ". } 
and change (" icmp echo " as disabled ) you will find it " Always" by default . 
so , your Configuration should be like this : 

Click Update and exit. 


> Try to ping your virtual server" 10.0.30.254" again , it should pass this traffic to one of your " internal nodes routers ( 10.0.20.2 , 10.0.20.3 ). 
Also Check this snap shot from my lab enviroment : 

( my pc ip : 10.10.10.1 , tries to ping "10.10.10.5" the virtual server that I attached in first snap shot , 30.30.30.2 is the seld ip address in the internal servers subnet and 30.30.30.30 is my internal node. ) 
- show sys connection cs-client-addr , is a tmsh script to see the active connections from this ip over my F5 device . 

Try to do this and tell me your status feedback. 
Thanks. 

@Mohamed_Ahmed_Kansoh Thanks for your reply! Please see below screenshot: user 3725-1(10.0.30.1) and virtual server(10.0.30.254) can ping each other, but the command show sys connection cs-client-addr 10.0.30.1 shows nothing. Maybe issue is here.

Secondly, my F5 is version 15.1. Looks like it does not show ICMP options. I checked the page at all, and cannot find the ICMP option. Please see below. Not sure if the option is cancaled

@Mohamed_Ahmed_Kansoh 

> ICMP option is on virtual address list tab , see the below snap shot :  Yes, right. After changing ICMP Echo from default Always to Disabled, the node can receive ping traffic from F5. but the name Disabled is weired. It should be Enabled which can cause ping echo. 

@Mohamed_Ahmed_Kansoh One more question, in order to confirm the traffic going through F5, we can see its statistics. After I changed different virtual server ip address and changed Always to their Disabled ICMP option, and then ping all other virtual server listed below, but I can see Bits and Packets increase ONLY in the virtual server 10.0.30.254. All others virtual server have nothing there. Why just 10.0.30.254? In other word, I ping other virtual server such as 10.0.30.100, instead Bits and Packets increase in 10.0.30.254 not in 10.0.30.100.

Hi @davidy2001 , 
       all other virtual servers should collect statistics and serve traffic such as " 10.0.30.254". 
- First make sure that the internal nodes that behind these virtual servers recieve traffic like 

" 10.0.30.253". 
> I simulated this case now in my enviroment and I could see traffic on all virtual servers i have , you may need to click " Refresh" button every 5 or 10 seconds , such as below : 
Or another Idea , 
you can put this command in Tmsh cli : 
# show sys connection cs-server-addr "All_your_virtual servers". 
such as below snap shots : 

you will be able to see your active connections well and make sure that everything is running as expected.

> But again I think you need to ping your virtual servers and hang the Ping on them , and click " Refresh " button more time , I think you will notice the Results.

Try it and send the Feedback status.
Regards

@Mohamed_Ahmed_Kansoh 

I tried many time to ping the new created virtual server 10.0.30.200. The Bits and Packets still increase in virtual server 10.0.30.254, not in 10.0.30.200. Of couse, i keep clicking on Refresh button, but it cannot change count numbers. Strange.

Hi @davidy2001 ,
      I think in this Case other virtual servers do not recieve packets , so you need to make sure that you configure it  like this :

Also try on tmsh this command " show sys connection cs-server-addr 10.0.30.200 or 10.0.30.110 or 10.0.30.100. 

> also send to me the new created virtual server configuration and virtual address configuration as well as a snap shot , maybe I find a missing part. 
But I am sure new created virtual servers shoud work as expected if you configured them as the same way of " 10.0.30.254 " , because I simulated it in my lab and it works well. 

> I am follow you , you can update me any time until your issue resolved. 
Ty 

@Mohamed_Ahmed_Kansoh 

Please see the below screenshot. This config is same as 10.0.30.254 virtual server except the ip address 10.0.30.200. and please let me if any info needed. 

well , 
      I see you are using the standby unit to ping the Virtual servers. 
you will not see any statistics on statndby , all connections should be in Active unite not standby. 

I need you to try to ping from Router 10.0.30.1 to virtual server 10.0.30.200 , and see the statistics on Active Appliance. 

> I see also you changed the Virtual server " Ping-vs " from 10.0.30.254 to 10.0.30.200 , I do not know why , but create both of them separately. 

> do not see statistics or run this command " show sys connection cs-server-addr " 
on standby system. 

Try again and update me 
Ty 

@Mohamed_Ahmed_Kansoh 

> I see also you changed the Virtual server " Ping-vs " from 10.0.30.254 to 10.0.30.200 , I do not know why , but create both of them separately. -- Yes, I only want to see the effect of ip change.

I rebooted it just now. then I can see Bits and Packet count increase in current virtual server 10.0.30.200. This is what we expect.

and then I change the ip from 10.0.30.200 to 10.0.30.123. The previous scene happen again, meaning ping 10.0.30.123 from router 10.0.30.1, the count number increase still at 10.0.30.200, not 10.0.30.123. so we might have to reboot it to resolve the issue? Looks like Refresh cannot work. 

well , 
maybe you need to kill the active sessions first before you swapping the virtual server ips , because Active sessions needs an idle timeout value. 
For Example : 
Traffic on 10.0.30.200 works well and count packets and bits , because this virtual server has the active connection now. 
when you swap it to 10.0.30.123  you will need to kill the active sessions first by using this Command : " delete sys connection cs-server-addr 10.0.30.200 " this will kill the active connections that opened via " 10.0.30.200 vs ". 
After that try to ping "10.0.30.123" and see the results. 
you do not need to reboot , only use this command " delete sys connection cs-server-addr 10.0.30.200 " and I think it will work as expected. 

> If you created new different virtual servers not swapping ips you will not see this behavior. 

Try it and give me your feedback 
Ty 

@Mohamed_Ahmed_Kansoh 

Yes, after creating new virtual server, the issue exist again. The issue resolved! 

Thank you!

Thanks, you are right. Using ping looks like relative easy to find if its working. 

Hi @davidy2001, 
 when you set your option : 

> Always : this option make F5 it self as a device reply to icmp packet when F5 itself sees that this virtual server is available " Green circle or blue Square " on it , if this Virtual server is not available or has a

" red Rhombus " or marked down , F5 as a system device will not reply to ICMP. 

> Disable : F5 as a device does not reply to ICMP if its virtual server available or not , it only take icmp packets and send it to its pool members/nodes. 

briefly , Always option tells F5 device to reply to icmps if the Pinged virtual server available whereas Disable tells F5 device not to reply to the icmp packets or bypass icmp packets to be relayed on the availability of  " Pool members/ Nodes" 

> I will send to you a snap shot for a very useful TAB on F5 Gui : 

Help TAB is our hand and foot in F5. 

Regards.
Ty 

Thanks. Can we say no matter Always or Disabled is selected, traffic should be sent to nodes from virtual server?  

@davidy2001 

Yes , always or disable only for icmp packets. 

But real traffic delivered by nodes that assigned virtual servers .

Regards

@Mohamed_Ahmed_Kansoh Thanks

"Yes , always or disable only for icmp packets." 

what I mean is no matter Always or Disabled is selected, traffic----Ping should be sent to nodes from virtual server? Because this is related with below issue. 

Is there a config change which cause block traffic from virtual server to nodes in addition to linking virtual server to Node pool(Virtual server---->Resouces--->Load balance--->Default pool)?

the reason why I am asking the question is because it used to work, but now the virtual server already link a node pool, but the virtual server cannot transfer message( ping) from 3725-1 to nodes sometimes? when 3725-1 send ping to virtual server(ping is succefull), but Statistic show nothing changed (even if keeping press Refresh button)

Hi @davidy2001 , 
    yes , in your environment with F5 , you need to disable icmp echo on Virtual server when pinging from router 1 to virtual servers and let F5 to transfer icmp packets to its nodes that assigned to virtual server. 

This related to your scenario only. 

I want to say , F5 is used in much deployment and rarly used with routers like you do. 
btw , F5 can make anything on application delivery networks.

@Mohamed_Ahmed_Kansoh Thanks. 

But after changing to Disabled, it cannot only ping virtual server from router1, but also virtual server cannot send the message to nodes. It used to work, do not know why it no longer work at all. Sorry bother you with a lot questions. 

Hi @davidy2001 , 
          Do not worry about that , 
this issue is not related to " Always or disabled " options , I think there is a change in Configuration. 
so , send a snap shot from " Virtual server , Virual address , Pool member and nodes as well" 
and I will check it. 

Regards 

@Mohamed_Ahmed_Kansoh Thanks

Please see the below screenshots. To make it simpler, l use Standalone, but it still has that issue.

The virtual server is 10.0.30.100. R1 can ping virtual server(when ICMP Always, below show Disabled), but node has no response. The node can ping 10.0.20.254 (internal floating ip)

@Mohamed_Ahmed_Kansoh Big help, Thank you!

@davidy2001 

Most welcome brother.