Hi I have question when I create virtual server. Please see the below sreenshot where there is "Destination Address/Mask". Is this address gateway located at outside of the F5 or address of the virtual server? I think the ip address 10.0.30.254 should be gateway located at outside of the F5, do you think so? Thank you

davidy2001 , Also Note , When you change the virtual server IP only , the new virtual address added in statistics Page , Also you will find the in new virtual address the ( " icmp-echo" option returned to " always" ) again , so you will change it again. > it is not good to change the virtual server ip address , you can create a new one instead of swapping ip , because existance of active session.> Also , if you follow the scenario of swapping virtual server ip , run this command " show sys connection cs-server-addr" , it will show to you that the traffic flow is correct and as expected. Ty

Paulius Thanks for your reply! Actually I want to understand how basic F5 traffic go from outside users to inside nodes server and how F5 works as load balance. I use router (3725-2 and 3725-3) in the diagram as simulated node. The routers have default route pointing at the internal floating ip address. so the router should have node function in pool created. One of reason why I use routers as node is we can see and check traffic from the router when there is traffic flowing from F5 to the router(node).For the function of F5 as load balance, I think all configurations are completed on my F5, but how to make sure if the F5 load balance work well? so that I check if 3725-2 and 3725-3 can receive any traffic. Is this good way to confirm it works?

Hi davidy2001 , I think in this Case other virtual servers do not recieve packets , so you need to make sure that you configure it like this :Also try on tmsh this command " show sys connection cs-server-addr 10.0.30.200 or 10.0.30.110 or 10.0.30.100. > also send to me the new created virtual server configuration and virtual address configuration as well as a snap shot , maybe I find a missing part. But I am sure new created virtual servers shoud work as expected if you configured them as the same way of " 10.0.30.254 " , because I simulated it in my lab and it works well. > I am follow you , you can update me any time until your issue resolved. Ty

well , I see you are using the standby unit to ping the Virtual servers. you will not see any statistics on statndby , all connections should be in Active unite not standby. I need you to try to ping from Router 10.0.30.1 to virtual server 10.0.30.200 , and see the statistics on Active Appliance. > I see also you changed the Virtual server " Ping-vs " from 10.0.30.254 to 10.0.30.200 , I do not know why , but create both of them separately. > do not see statistics or run this command " show sys connection cs-server-addr " on standby system. Try again and update me Ty

well , maybe you need to kill the active sessions first before you swapping the virtual server ips , because Active sessions needs an idle timeout value. For Example : Traffic on 10.0.30.200 works well and count packets and bits , because this virtual server has the active connection now. when you swap it to 10.0.30.123 you will need to kill the active sessions first by using this Command : " delete sys connection cs-server-addr 10.0.30.200 " this will kill the active connections that opened via " 10.0.30.200 vs ". After that try to ping "10.0.30.123" and see the results. you do not need to reboot , only use this command " delete sys connection cs-server-addr 10.0.30.200 " and I think it will work as expected. > If you created new different virtual servers not swapping ips you will not see this behavior. Try it and give me your feedback Ty

Mohamed_Ahmed_Kansoh Yes, after creating new virtual server, the issue exist again. The issue resolved! Thank you!

Destination address at F5

35 Replies

davidy2001
Cirrus
Nov 06, 2022
Paulius Thanks for your reply! Actually I want to understand how basic F5 traffic go from outside users to inside nodes server and how F5 works as load balance. I use router (3725-2 and 3725-3) in the diagram as simulated node. The routers have default route pointing at the internal floating ip address. so the router should have node function in pool created. One of reason why I use routers as node is we can see and check traffic from the router when there is traffic flowing from F5 to the router(node).
For the function of F5 as load balance, I think all configurations are completed on my F5, but how to make sure if the F5 load balance work well? so that I check if 3725-2 and 3725-3 can receive any traffic. Is this good way to confirm it works?
- Paulius
  MVP
  Nov 07, 2022
  davidy2001In all honesty if you are trying to figure out how the BIG-IP works I would configure VMs behind it rather than routers because it seems like you would want to use the BIG-IP in the closest way you intend to in the future. Most deployments of the BIG-IPs are for websites and applications rather than ICMP to routers. Don't get me wrong here because you can do all sorts of things on the BIG-IP but if your intent is to learn it I think the best way to start is the closest thing that everyone typically uses them for which is application load balancing or website load balancing. You can perform tcpdumps on the BIG-IPs to see traffic traversing it as well as a wireshark (windows) or tcpdump (linux) on the destination servers to see the traffic flow. This is a great exercise that you posted just to learn something one off but not where I would have started to learn about them.
  - davidy2001
    Cirrus
    Nov 12, 2022
    Thanks, you are right. Using ping looks like relative easy to find if its working.
Mohamed_Ahmed_Kansoh
MVP
Nov 05, 2022
HI davidy2001 ,
this is the IP address of your Virtual server , it is owned by F5 Big-ip itself.
> this IP is the real representation of your service.
> this IP is the destination IP which located in IP L3 Packet as a destination IP and a destination NAT happen to it.
Let me Explain :
for example we have a client ip/or user ip = 200.200.200.200 as a source outside F5 , and you configure this IP 10.0.30.254 as a destination address on F5 , also Asume that Pool_member or server address ip = 10.20.20.20
> the traffic flow should be as below :
Source ip : 200.200.200.200 " Client IP "
Destination IP : 10.0.30.254 " Destination IP on F5 or what we call it Virtual server IP "
that was the first half or oustide F5 connection or we call it connection between client side connection and F5.
after That F5 will perform a destination NAT to this IP "10.0.30.254" and converts it to "10.20.20.20"
So the traffic flow will be :
Source ip : 200.200.200.200 " Client IP "
Destination IP : 10.20.20.20 " Real server/or pool_member IP" After F5 Nat it.
That was the second half of F5 connection or we say that the inside connection between F5 and servers

> Note , I asume the default behavior of F5 without any additional configuration such as SNAT , or Virtual server type " full proxy or half proxy ".

briefly , this ip is the Virtual server IP , it can be single ip or subnet depend on your environment.
Regards
Mohamed Kansoh.
davidy2001
Cirrus
Nov 05, 2022
Thank you very much for your nice reply. So from outside user perspective, the destination ip address is internal server (node) ip address. What is relation between the destination ip address 10.0.30.245 and external floating ip address? I thought the external floating ip is virtual server ip address. Looks like not.
- Mohamed_Ahmed_Kansoh
  MVP
  Nov 05, 2022
  Hi davidy2001 ,
  well ,
  > firstly, From outside user perspective , the destination IP is the " Virtual server = 10.0.30.245" Not The internal Node ip , even users do not know about the node ip.
  - The " Virtual server = 10.0.30.245" speaks instead of internal node , all of user knowledge ends up to the
  " Virtual server = 10.0.30.245" and they can not know what behind the Big-ip from Real servers " internal nodes ".
  - The Process of Destination Nat is a process related to F5 Big-ip which do it without knowledge of users , as it converts " Virtual server = 10.0.30.245" IP to " Internal node ip ".
  
  > Secondly , you Though that the External Floating IP address is the Virtual server address.
  well , Floating IP exists only if you deploy a High availability "HA" Clustering between two Appliances of F5 Bigip.
  -The External Floating ip acts as the self IP address which you create for the standalone system.
  - External Floating ip maintains the reachability of your system and the peer device on network " Switchs , Routers , Firewalls " , This IP is related to Active and Standby units , but it is owned by Active unit until is become done or a hardware failure happens to it , if this failure happen , this IP will move and owned by the standby unit as it will become the Active unit in this Case.
  - External Floating IP address is not included in user traffic ip packets.
  - External Floating IP in " HA " Clustering is same as self ip in Standalone unit , it used in Layer 2 Arp packets , and the peer device" Layer 3 Switch , Router , Firwall " to F5 uses it as a next hop to forward traffic to F5.
  - Without Creating Floating IP address , you will loose reachabilty with F5 outside network peers.
  - Floating ip address is called " Virtual IP address " in other Vendors , I think it confuses you because of its name.
  - But , Virtual server is the main speaker instead of internal nodes , and it must be included in the IP layes 3 Packets between users and F5.
  - Virtual server is the most important component in F5 Big-ip it contains a massive configuration Features adminstrators can do it.
  
  >Note , Virtual IP and Floating ip can have the same IP address , but this is a bad network design and not deployed in almost network architectures.
  
  I hope that helps you.
  Ty and Regards
davidy2001
Cirrus
Nov 06, 2022
Thanks. so my understanding should be like the below. router 3725-1's fa0/0 is 10.0.30.1, Virtual server address is 10.0.30.254 and external floating ip is 10.0.30.110. The three ip address are at the same subnet. 10.0.30.1 can ping the other two ip.
Internal floating ip 10.0.20.110, and nodes ip 10.0.20.2-3 are at the same subnet. 10.0.20.2 can ping internal floating ip 10.0.20.110.
But when 10.0.30.1 ping virtual server address, router (10.0.20.2) does not receive any message from the F5. Some config step is missing? PLease see the below diagram:
- Paulius
  MVP
  Nov 06, 2022
  davidy2001In order to answer this correctly we need a bit more information on what your pool is configured as for your Virtual Server in your first comment. If your object is to allow traffic to pass from External to Internal and Internal to External for just routed traffic you do not need to configure a specific pool and you just need a wildcard virtual server listening on the External and Internal VLANs or all VLANs. You can also use something similar to the wildcard virtual servers in this article.
  https://support.f5.com/csp/article/K7595
  If you intend to pass ICMP traffic only to those specific destination routers you will need to create a pool that has those two router IPs in it and some other adjustments to the virtual server. I do not recommend setting up a virtual server for the purpose to only ping between 3725-1 and 3725-2 or 3725-3 and just use the wildcard virtual server. When a BIG-IP is deployed in routed mode and it sits in path you will almost always want to configure a wildcard virtual server otherwise routed traffic that doesn't match any other virtual server will be dropped.
- Mohamed_Ahmed_Kansoh
  MVP
  Nov 06, 2022
  Hi davidy2001 ,
  well ,
  > you do not see the ICMP packet in internal nodes " 2 routers (2725-2 , 2725-3 ) " because F5 appliance itself responds to icmp packets and never let it pass to your routers in the orther side , this is the default behavior of F5 system.
  in this Case we need to change some configuration over the virtual server it self , and make F5 to not take any action or responds to Ping packets.
  
  > Firstly , Configure your virtual serevr " ping-vs" as below :
  you can let its type as standard or performance layer 4 , but I prefer performance layer 4 because there is no need to make it standard.
  
  > After that , go to ( local traffic > on virtual server Tab , Choose virtual address list > select your Virtual server which behind it your routers " 10.0.30.254 ". }
  and change (" icmp echo " as disabled ) you will find it " Always" by default .
  so , your Configuration should be like this :
  Click Update and exit.
  
  > Try to ping your virtual server" 10.0.30.254" again , it should pass this traffic to one of your " internal nodes routers ( 10.0.20.2 , 10.0.20.3 ).
  Also Check this snap shot from my lab enviroment :
  
  ( my pc ip : 10.10.10.1 , tries to ping "10.10.10.5" the virtual server that I attached in first snap shot , 30.30.30.2 is the seld ip address in the internal servers subnet and 30.30.30.30 is my internal node. )
  - show sys connection cs-client-addr , is a tmsh script to see the active connections from this ip over my F5 device .
  
  Try to do this and tell me your status feedback.
  Thanks.
  - davidy2001
    Cirrus
    Nov 06, 2022
    Mohamed_Ahmed_Kansoh Thanks for your reply! Please see below screenshot: user 3725-1(10.0.30.1) and virtual server(10.0.30.254) can ping each other, but the command show sys connection cs-client-addr 10.0.30.1 shows nothing. Maybe issue is here.
    Secondly, my F5 is version 15.1. Looks like it does not show ICMP options. I checked the page at all, and cannot find the ICMP option. Please see below. Not sure if the option is cancaled
davidy2001
Cirrus
Nov 12, 2022
Mohamed_Ahmed_Kansoh
Lets use one of your reply to start the conversation.
" it is not weired , each virtual server is only responsible for its nodes and when you disable icmp echo on " 10.0.30.254" virtual server this option is related only to this virtual server , and other virtual servers do not impacted by your change , you will find the option of icmp-echo still as default always on all virtual servers except " 10.0.30.254 virtual server " "
I still have question on this point. After I repeatedly tested, I found the phenomena. Lets say there are two situations: One is when ICMP Echo Disabled, 3725-1 can always ping virtual server successfully. Once it change back to Always, 3727-1 no longer ping virtual server. The second situation is when ICMP Echo Always, Once it change back to Disabled, 3727-1 no longer ping virtual server. but I do not know what can cause the two different situation? Thanks
- Mohamed_Ahmed_Kansoh
  MVP
  Nov 12, 2022
  Hi davidy2001,
  when you set your option :
  
  > Always : this option make F5 it self as a device reply to icmp packet when F5 itself sees that this virtual server is available " Green circle or blue Square " on it , if this Virtual server is not available or has a
  " red Rhombus " or marked down , F5 as a system device will not reply to ICMP.
  
  > Disable : F5 as a device does not reply to ICMP if its virtual server available or not , it only take icmp packets and send it to its pool members/nodes.
  
  briefly , Always option tells F5 device to reply to icmps if the Pinged virtual server available whereas Disable tells F5 device not to reply to the icmp packets or bypass icmp packets to be relayed on the availability of " Pool members/ Nodes"
  
  > I will send to you a snap shot for a very useful TAB on F5 Gui :
  
  Help TAB is our hand and foot in F5.
  
  Regards.
  Ty
  - davidy2001
    Cirrus
    Nov 12, 2022
    Thanks. Can we say no matter Always or Disabled is selected, traffic should be sent to nodes from virtual server?