Pinging SNAT Address

Brumik · ‎10-Jun-2021

I am running bigip VE edition 15.1.0.2 and configured a standard SNAT pool and attached to a virtual server.

ltm snat-translation /Common/192.168.20.6 {

address 192.168.20.6

inherited-traffic-group true

traffic-group /Common/traffic-group-1

}

ltm snatpool /Common/VSERVER_TEST {

members {

/Common/192.168.20.6

}

The webserver is up and running and the virtual server is available.

However from the webserver I cannot ping 192.168.20.6, but the ARP does resolve:

/ # arp -an

? (192.168.20.6) at 0c:6e:a5:be:62:03 [ether] on eth0

? (192.168.20.3) at 0c:6e:a5:be:62:03 [ether] on eth0

? (192.168.20.1) at 0c:6e:a5:be:62:03 [ether] on eth0

.1 and .3 are pingable.

According to this article https://support.f5.com/csp/article/K05703029 the SNAT is supposed to respond to ICMP, does anyone know if this is actually the case or has the behavior been changed between versions or is there any specific settings to enable this?

Thanks in advance.

SanjayP · ‎11-Jun-2021

Is there a firewall between server and F5? ICMP might be blocked there. If this isn't a case, run tcpdump on F5 and see if traffic reaches there.

Brumik · ‎12-Jun-2021

Hello Sanjay,

There is no firewall, the ping request arrives to the F5 but is not answered. Webserver is directly connected to the F5 via a switch.

Environment is in GNS3 but I dont think this makes a difference. I posted complete config below.

BR

Chris

ltm virtual /Common/http_vserver {

creation-time 2020-08-18:09:05:39

destination /Common/192.168.10.1:80

ip-protocol tcp

last-modified-time 2021-06-10:18:56:19

mask 255.255.255.255

pool /Common/http_pool

profiles {

/Common/fastL4 { }

/Common/http { }

}

rules {

/Common/gestamp

}

source-address-translation {

pool /Common/test_vs

type snat

}

translate-address enabled

translate-port enabled

vlans {

/Common/external

}

vlans-enabled

}