Forum Discussion

iamsajjad's avatar
iamsajjad
Icon for Cirrus rankCirrus
Sep 29, 2022

Seeing "echo (ping) request -- (no response found!)" from a ACI leaf to the F5 floating ip

Hello all who believes "It's not the F5",

I am having some network issue in a Bigip setup that involves a non-default route domain and 2 VRFs.

Bigip is in-line that has a wildcard for any port and protocol that is supposed to forward icmp.

It has 2 Floating IPs in one non-default route domain for 2 VLANs let us call them alpha and beta associated with 2 VRFs: LEFT (alhpa vlan) and RIGHT (beta vlan) on ACI. There is no firewall between RIGHT VRF (i.e. close to beta vlan) and F5.

On F5 there is a A.B.C.D/## network route to go to RIGHT VRF using gw on ACI as next hop.

On F5 there is also a default route using ACI gw of LEFT VRF as next hop.

On ACI for LEFT VRF there is A.B.C.D/## network route using the floating IP of alpha vlan as next hop

On ACI for RIGHT VRF there is default route using floating IP of beta vlan as next hop.

Client is trying to ping between security appliances or floating IPs across two VRFs.

I did a packet capture and I see Response not found (icmp.resp_not_found) for Echo (ping) request either direction.

In Wireshark seeing "echo (ping) request id=0x7070, seq=1/256, ttl=62 (no response found!)"

12 58.020868 #.#.#.# A.B.C.E ICMP 162 IN s3/tmm0 : Echo (ping) request id=0x7070, seq=1/256, ttl=62 (no response found!)

I wish I could debug ip flow and see what's happeing tcp stack wise. Due to security reason I can't install ipflow.

Sorry had to go with description of the setup due to organization policy.  Any lead to potential issue will be greatly appreciated!

Thanks.

  • I didn't do the justice just giving highlight of the architecutre in a diagram. Turns out netmask of detination for forwarding virtual server did not have /0 at the end so it was not "any"; but, was treated as /32.

  • Hi iamsajjad , thanks for the description. For this one, it would be helpful if you could paste snippets of the config (redact private info, IP's, etc) of the forwarding virtual, self/floating IP's, routes. A quick diagram could help as well. I think I understand the topology based on your description but a diagram would just help confirm. I'm assuming the packet capture is from the client?

    • iamsajjad's avatar
      iamsajjad
      Icon for Cirrus rankCirrus

      I didn't do the justice just giving highlight of the architecutre in a diagram. Turns out netmask of detination for forwarding virtual server did not have /0 at the end so it was not "any"; but, was treated as /32.

    • iamsajjad's avatar
      iamsajjad
      Icon for Cirrus rankCirrus

      Hello buulam thanks for going though my posting and trying to help.

      .60 and .92 are the floating IPs on F5.

      As requested here is the sketch of topology and routes from ACI and F5 (RD # 2).

      From ACI or server in RIGHT VRF don't get reply if they ping server on LEFt or .60 floating IP of F5. Times out. Capture was done on F5.  It's true for other direction as well.

       

  • Hi iamsajjad, if I'm imagining the diagram properly, you have all the "back end" stuff in one route domain, correct? Even if all the routing is set up correctly, remember that a route is only the infrastructure you need to forward traffic, you still need a forwarder to allow it. You mention you have a wildcard virtual server for icmp, but does that exist in both route domains?

    • iamsajjad's avatar
      iamsajjad
      Icon for Cirrus rankCirrus

      Hey JRahm 

      Spot on putting together the puzzle pieces! Yes there are Wildcard IP Forwarding VS for other protocols in 2 route domains meant for left and right VRFs.

  • Do you see the request hit the endpoint in question?

    Do you have the routes in your non-default RD? That was not explicitly called out.  You just said there were routes there.

    If you tcpdump on the bigip with -nei 0.0, are you seeing the requests hit the appropriate route domains and exiting towards the ACI?

    • iamsajjad's avatar
      iamsajjad
      Icon for Cirrus rankCirrus

      I've shared ip route in respoonse to buulam's reply and query. Can you kindly have a look. I didn't get a chance to do the tcpdump with -nei. Will trying following will provide desired output considering client can only ping: 

       tcpdump -nni 0.0:nnnp -s 0 host

       

      Can you please correct me if it's wrong. Thanks!