LTM - Monitor with "arping" relies on ARP-Cache
Hello fellow F5ers,
I have devices, that can only be monitored via "arping" (don't ask, the devices are stupidly designed, some people may call that "secure"). There are several threads here on devcentral covering the use of "arping" in external monitors, but I see a behavior that is not mentioned at all.
At least on my LTMs (running Version 15.1.2.1) arpings will get answered from LTMs own ARP-Cache instead of sending a real request over the network. This can easily be tested by:
- Run a tcpdump that filters for arps: tcpdump -nni <vlan> arp
- On another console execute an arping: rdexec <rd> arping -c1 -I <vlan> <node-ip>
If there is no ARP-Entry in LTMs ARP-Cache, you will see an arp request with tcpdump. Any subsequent arpings will not be send over the network as long as there is a valid entry in the ARP-Cache (default timeout 5 minutes). The moment you clear the ARP-Cache manually, the next arping will be send over the network again.
This means, that even when the system that you arping is offline (shutdown, no power, you name it), you will still receive successfull arpings until the ARP-Cache entry times out.
Has anyone encountered a simmilar behavoir?
Any idea how I can use arping to reliable determ wether the node is still alive?
Cheers,
Stefan