iControl get_static_route_destination inconsistency
On get_static_route_destination on urn iControl:Networking/RouteTableV2 there is missing info regarding route domain on default gateway objects. Works fine on nondefault static routes. For example: root@(f5-test)(cfg-sync Standalone)(Active)(/Common)(tmos) list net route VLAN_99 net route VLAN_99 { gw 192.168.254.214%834 network default%99 } iControl req: <soapenv:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mon="urn:iControl:Networking/RouteTableV2" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ins0="urn:iControl"> <soapenv:Body> <mon:get_static_route_destination> <routes> <item>/Common/VLAN_99</item> </routes> </mon:get_static_route_destination> </soapenv:Body> </soapenv:Envelope> iControl response: <E:Envelope xmlns:E="http://schemas.xmlsoap.org/soap/envelope/" xmlns:A="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://www.w3.org/2001/XMLSchema-instance" xmlns:y="http://www.w3.org/2001/XMLSchema" xmlns:iControl="urn:iControl" E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <E:Body> <m:get_static_route_destinationResponse xmlns:m="urn:iControl:Networking/RouteTableV2"> <return s:type="A:Array" A:arrayType="iControl:Networking.RouteTableV2.RouteDestination[1]"> <item> <address s:type="y:string">0.0.0.0</address> <netmask s:type="y:string">0.0.0.0</netmask> </item> </return> </m:get_static_route_destinationResponse> </E:Body> </E:Envelope> System info Sys::Version Main Package Product BIG-IP Version 11.5.0 Build 2.0.231 Edition Hotfix HF2 Date Thu Apr 10 22:52:27 PDT 2014 So, is there a wy to get info regarding netwrok route domain of default route? On nondefault route iControl returns route domain in address element of response, so I'd expect it to behave the same with default route. Thank you182Views0likes0CommentsDefault Route into OSPF
I am unable to advertise a default route 0.0.0.0/0 from the F5 into ospf. I have an F5 VE running 12.1.1 on KVM-QEMU. IMI is running and I have neighbor relationships with the appropriate routers. All other routes that I test are added without issues, but I do not see the 0.0.0.0/0 route being advertised into ospf. MY ZebOS config: [root@F5-INTERNET-01:Active:In Sync] config cat zebos/rd0/ZebOS.conf ! no service password-encryption ! interface lo ! interface tmm ! interface Core ip ospf priority 0 ip ospf mtu-ignore ! interface Internet ! router ospf ospf router-id 10.246.3.250 redistribute kernel passive-interface Internet network 10.246.3.0 0.0.0.255 area 0.0.0.0 ! line con 0 login line vty 0 39 login ! end Here is the LTM Configuration: ltm virtual /Common/Test { destination /Common/0.0.0.0:0 ip-protocol tcp mask any profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address enabled translate-port disabled } ltm virtual /Common/test2 { destination /Common/10.10.10.1:80 ip-protocol tcp mask 255.255.255.255 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual /Common/test3 { destination /Common/20.20.20.0:0 ip-protocol tcp mask 255.255.255.0 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port disabled } ltm virtual-address /Common/0.0.0.0 { address any arp disabled icmp-echo disabled mask any route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } ltm virtual-address /Common/10.10.10.1 { address 10.10.10.1 arp enabled icmp-echo enabled mask 255.255.255.255 route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } ltm virtual-address /Common/20.20.20.0 { address 20.20.20.0 arp disabled icmp-echo disabled mask 255.255.255.0 route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } What is the issue?502Views0likes1CommentSSL-VPN - Route all traffic NOT via the default gateway but via the CUSTOM gateway
Hi, We are working to implement a new VPN stream that ends on F5. Our goal is to terminate the SSL VPN on F5 but filter the traffic on the firewall, we don't want to do ACLs on F5. We need to set up a full tunnel. Our infrastructure is illustrated in a simplified way in the attached diagram However, we have problems with the routing of traffic as we do not want to allow clients to reach the network resources (Virtual Machine and Virtual Server) located in the networks directly connected on F5. To avoid this behavior we create a new DMZ 192.168.2.0/24 network to use a SNAT of this network (192.168.2.10) to route traffic to the firewall. The problems arose here as the traffic to the Internet takes the default network and then arrives on the firewall on the IP 192.168.1.1, while the traffic to the LAN 1 and LAN 2 uses the F5 selfIPs on those networks We would like to make sure that all traffic from the VPN arrives on the firewall on IP 192.168.2.1 of the new DMZ network. We tried the following: 1) rotate the traffic to a specific gateway (https://support.f5.com/csp/article/K18487629) but it didn't work and the traffic to the LANs doesn't go through the firewall. We have created a new dedicated VS. 2) implemented a PBR via irule (https://support.f5.com/csp/article/K20510467) but it didn't work. We may have done something wrong in the configuration of the two points indicated above and we have tried the various combinations but we are unable to find any solution. Can you help us understand how to set up the correct flow? Is it possible to foresee that F5 does not follow the default routing and does not allow direct access to connected LANs? I hope the flow described is clear ThanksSolved3.4KViews0likes7CommentsBig-ip default route - rule of thumb?
I'm wondering if there's a "rule of thumb" for configuring a default route, ie. which network to use if there's just one. For example, a 2200 with... Management access: 192.168.10.0 Vservers:192.168.110.0 Backend networks:192.168.20.0, 192.168.30.0 and 192.168.40.0 (assume all use a /24 mask) Thus in this scenario, which network should I use for my default route? I've seen some articles about configuring multiple routes, but no "best practice" if there's only one. Thanks!534Views0likes1CommentCluster Cross subnet
Hi, We currently have two independent clusters of F5 in separate subnets (sites) and require a method for synchronizing the configuration between them. There is a restriction on the deployment where they must be in separate subnets. The two sites run active-active. The obvious issue for this is that the gateways are separate and when we attempt to synchronize the configuration, the gateway address is clobbered, resulting in the routing breaking. We've tried a few things including: sync only; doesn't synchronize everything ip gw pool w/ sync fail-over; server split routing looking at the files manually and syncing them with external script Does anybody have advice on how they would handle this situation? Thanks.285Views0likes1CommentGateway Failsafe and default gateways
Hi, I am quite lost concerning how Gateway Failsafe (GF) can be used to monitor def GW in cluster. Def GW object is object synced between nodes. So I can't see a way to set two different Def GW on nodes. GF is based on monitoring two different gateways (or other objects). Each device have to use completely separate (separate Pool with separate pool members like: DeviceA - gf1_pool - 10.10.10.1:0 DeviceB - gf2_pool - 10.10.11.1:0 It makes sense because in case of Failover based on GF new Active should have it's pool UP. If it would be the same device then most probably it would be Down same as on Active. Sure, both devices can have different network paths to the same device but probably it's less frequent. Maybe that is because of name used for this feature that suggested me that it can be used to monitor Def GW, but in fact it's not at all? The final question is if there is a way to have separate Def GW per node in cluster? I mean using Routes config, not magic with VSs? And can GF be used to actually monitor access to Internet from nodes - via separate gateways? Piotr616Views0likes5CommentsGateway Failsafe and default gateways
Hi, I am quite lost concerning how Gateway Failsafe (GF) can be used to monitor def GW in cluster. Def GW object is object synced between nodes. So I can't see a way to set two different Def GW on nodes. GF is based on monitoring two different gateways (or other objects). Each device have to use completely separate (separate Pool with separate pool members like: DeviceA - gf1_pool - 10.10.10.1:0 DeviceB - gf2_pool - 10.10.11.1:0 It makes sense because in case of Failover based on GF new Active should have it's pool UP. If it would be the same device then most probably it would be Down same as on Active. Sure, both devices can have different network paths to the same device but probably it's less frequent. Maybe that is because of name used for this feature that suggested me that it can be used to monitor Def GW, but in fact it's not at all? The final question is if there is a way to have separate Def GW per node in cluster? I mean using Routes config, not magic with VSs? And can GF be used to actually monitor access to Internet from nodes - via separate gateways? Piotr264Views0likes0CommentsStatic route gateway X.X.X.X is not directly connected via an interface
Hello, When verifying bigip.conf file, an error is reported about a network route. But the error has no reason to be there. Here is the error: &&&&&&&&&&& load sys conf file /config/bigip.conf verify Validating system configuration... . . Validating configuration... /config/bigip.conf 01070330:3: Static route gateway 10.10.99.254 is not directly connected via an interface. Unexpected Error: Validating configuration process failed. &&&&&&&&& When I then exit tmsh and look at my network configuration I see that 10.10.99.254 is on the same network as one of my interfaces. netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.252 U 0 0 0 HA 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm0 127.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt_bp 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan20 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.220.220.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan220 10.194.94.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan194 127.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.1 10.10.96.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan1 &&&& LOOK HERE &&&& 0.0.0.0 10.10.99.254 0.0.0.0 UG 0 0 0 vlan1 &&&&&&&&&& This configuration is up and running. I can even ping 10.10.99.254... I am just worried this error hides something more serious. fyi we run version BIG-IP 11.3.0 Build 3144.51 Engineering Hotfix HF8 thanking you in advance Alberto4.8KViews0likes7CommentsDoes the Big-IP use its management IP address to query the internet for F5 updates?
I'm seeing my F5 try to query the internet to check for updates after I manually pressed "Check Now" from the update check page. It's currently trying to reach out to the internet from its Self-IP, not the management address. Should the F5 being using its Self-IP by default to query that update server out in the internet or should it be using its management IP address? I ask because I currently have a static default route on the F5 that says if you're going to 0.0.0.0, take your default gateway at 10.251.12.1 (the default gateway for the Self-IP). Is this why it's trying to source the request from that address or would it be doing it by default anyway even if I didn't have that default route set?Solved443Views0likes5CommentsDo I need a "Route" configured for route domain 0?
Hi all, I'm currrently using route domain 0 for everything on the Big-IP. I've not created any other route domains. When I go to Network > Routes, there are no routes listed. Do I need to create a default route for route domain 0? What does route domain 0 use as its default route if I don't specify one?516Views0likes11Comments