Forum Discussion

KaiTT's avatar
KaiTT
Icon for Nimbostratus rankNimbostratus
Nov 30, 2022

In nPath configuration, BIG-IP does not send ICMP reply to the L3 switch.

Hi All,

1) The Client sends an ICMP request to the 20.20.20.10 node IP destination.
2) Since the G/W of the Node is self-IP of BIG-IP, ICMP reply is sent to BIG-IP via the L3 switch.
3) BIG-IP drops this ICMP reply packet and does not send it to the L3 switch.
4) Similarly, if the Client attempts to access Pool member 20.20.20.10:80, BIG-IP drops the Syn-Ack packet and does not send it to the L3 switch.

I guess BIG-IP drops by itself because this ICMP reply packet does not match any virtual server configured in BIG-IP.

Do I need additional configuration to solve this?

5 Replies

    • Hi KaiTT , 

      > you should change your configuration little bit , use one of two scenarios :

      1.  Change the default gateway for "20.20.20.1" instead of using Bigip self-ip as a gateway , and configure
        ( SNAT automap or SNAT pool ). 
        by this scenario , ICMP traffic should go through L3 swith without forward it to Big-ip
        All of this with respect to your routes.
      2. Configure a fast layer 4 virtual server on your Big-ip and do not assign tcp profile to it , allow all protocols. 
        After creating it , go to virtual address and configure "echo-reply = disabled " not "always" 
        like below : 

      in this scenario , ICMP traffic should go through Bigip to server 20.20.20.10 and return back to F5 big-ip " its gateway" 

      > you only need to adjust your traffic flow , I recommend to do the first scenatio , using SNAT is very useful , so try it. 

      Regards. 

      • KaiTT's avatar
        KaiTT
        Icon for Nimbostratus rankNimbostratus

        Hi  Mohamed,

        Thank you for your kind reply.

        As I mentioned to Kai, the automap is not available.

        I am testing it because I think it can be solved with forwarding VS.

        Thanks.

    • KaiTT's avatar
      KaiTT
      Icon for Nimbostratus rankNimbostratus

      Hi Kai,

      Because the server needs to verify the source IP.

      I understand that if I change the G/W of the server to L3 and configure Automap, I need the X-forward-for function to check the source IP.

      However, the G/W of the server was configured as L4 because the end customer was not able to use the X-forwared-for feature.

      I searched on the forum and I think it can be solved with forwarding virtual server.

      Is it possible to solve it with the configuration below?

      ltm virtual Forwading_VS {

         creation-time 2021-08-20:21:22:48

         destination 0.0.0.0:any

         ip-forward

         ip-protocol tcp

         last-modified-time 2021-08-21:10:00:37

         mask 255.255.255.255

         profiles {

             fastL4 { }

         }

         serverssl-use-sni disabled

         source 0.0.0.0/0

         source-address-translation {

             type automap

         }

         translate-address disabled

         translate-port disabled

         vs-index 6

       

      • Hi TKC,

        I'm not sure if an asymetric routing setup is the right choice for your usecase. The asymetric routing may have certain unwanted side effects...

        I would rather than put the F5 bidirectionally between your router and servers, so that the ingress and egress communication gets processed by your F5 (e.g. Client <-> Router <-> F5 <-> Servers). A very traditional and well known setup without any hidden side effects. By doing so, your Clients could directly access your backend servers or virtual servers on the F5 and the servers could also reach the networks attached behind your router. 

        And yes, an IP-Forwarding virtual server enables routing through your F5. So in any case this is the right way to pass traffic tranparently to/from your servers.

        Cheers, Kai