Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

In nPath configuration, BIG-IP does not send ICMP reply to the L3 switch.

KaiTT
Nimbostratus
Nimbostratus

캡처.PNG

Hi All,

1) The Client sends an ICMP request to the 20.20.20.10 node IP destination.
2) Since the G/W of the Node is self-IP of BIG-IP, ICMP reply is sent to BIG-IP via the L3 switch.
3) BIG-IP drops this ICMP reply packet and does not send it to the L3 switch.
4) Similarly, if the Client attempts to access Pool member 20.20.20.10:80, BIG-IP drops the Syn-Ack packet and does not send it to the L3 switch.

I guess BIG-IP drops by itself because this ICMP reply packet does not match any virtual server configured in BIG-IP.

Do I need additional configuration to solve this?

5 REPLIES 5

Kai_Wilke
MVP
MVP

Hi TKC,

in a typical nPath configurtation your server dont use F5 as Def-GW. It should be your router. F5 should only see and balance ingress traffic...

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-12-1-0/4.ht...

Any specific reasons to use F5 as Def-GW on your servers? 

Cheers, Kai


iRule can do… 😉

Hi @KaiTT , 

> you should change your configuration little bit , use one of two scenarios :

  1.  Change the default gateway for "20.20.20.1" instead of using Bigip self-ip as a gateway , and configure
    ( SNAT automap or SNAT pool ). 
    by this scenario , ICMP traffic should go through L3 swith without forward it to Big-ip
    All of this with respect to your routes.
  2. Configure a fast layer 4 virtual server on your Big-ip and do not assign tcp profile to it , allow all protocols. 
    After creating it , go to virtual address and configure "echo-reply = disabled " not "always" 
    like below : 
    echo.PNG

in this scenario , ICMP traffic should go through Bigip to server 20.20.20.10 and return back to F5 big-ip " its gateway" 

> you only need to adjust your traffic flow , I recommend to do the first scenatio , using SNAT is very useful , so try it. 

Regards. 

_______________________
Regards
Mohamed Kansoh

Hi  Mohamed,

Thank you for your kind reply.

As I mentioned to Kai, the automap is not available.

I am testing it because I think it can be solved with forwarding VS.

Thanks.

Hi Kai,

Because the server needs to verify the source IP.

I understand that if I change the G/W of the server to L3 and configure Automap, I need the X-forward-for function to check the source IP.

However, the G/W of the server was configured as L4 because the end customer was not able to use the X-forwared-for feature.

I searched on the forum and I think it can be solved with forwarding virtual server.

Is it possible to solve it with the configuration below?

ltm virtual Forwading_VS {

   creation-time 2021-08-20:21:22:48

   destination 0.0.0.0:any

   ip-forward

   ip-protocol tcp

   last-modified-time 2021-08-21:10:00:37

   mask 255.255.255.255

   profiles {

       fastL4 { }

   }

   serverssl-use-sni disabled

   source 0.0.0.0/0

   source-address-translation {

       type automap

   }

   translate-address disabled

   translate-port disabled

   vs-index 6

 

Hi TKC,

I'm not sure if an asymetric routing setup is the right choice for your usecase. The asymetric routing may have certain unwanted side effects...

I would rather than put the F5 bidirectionally between your router and servers, so that the ingress and egress communication gets processed by your F5 (e.g. Client <-> Router <-> F5 <-> Servers). A very traditional and well known setup without any hidden side effects. By doing so, your Clients could directly access your backend servers or virtual servers on the F5 and the servers could also reach the networks attached behind your router. 

And yes, an IP-Forwarding virtual server enables routing through your F5. So in any case this is the right way to pass traffic tranparently to/from your servers.

Cheers, Kai


iRule can do… 😉