Forum Discussion

FrontmanFin's avatar
FrontmanFin
Icon for Altostratus rankAltostratus
Mar 20, 2024
Solved

Making a default route is breaking my management auth

Hello,

 

I have TACACS configured for Configuration Utility/GUI access and it works.

 

My problem is, when i make a default route on the box network > routes:

 

              source: 0.0.0.0

              dest: 0.0.0.0

              gateway: (gateway ip of my internal vlan, not same as my management network)

 

This kills my boxes authentication with TACACS on the management side. Shouldn't the F5 reach out to TACACS on its management interface? 

 

 

mgmt
  • FrontmanFin's avatar
    FrontmanFin
    Mar 21, 2024

    Resolved my issue. I made management-routes but that wasn't populating in the kernel route table (route -n from bash)

     

    so i added the routes to my TACACs

     

    route add -net [network] netmask [mask] gw [gateway] metric 4096

     

    and that seems to have worked.

6 Replies

Sort By
  • FrontmanFin's avatar
    FrontmanFin
    Icon for Altostratus rankAltostratus
    Mar 21, 2024

    Resolved my issue. I made management-routes but that wasn't populating in the kernel route table (route -n from bash)

     

    so i added the routes to my TACACs

     

    route add -net [network] netmask [mask] gw [gateway] metric 4096

     

    and that seems to have worked.

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Mar 21, 2024

      FrontmanFin You might consider figuring out why the routes aren't being added to the kernel route table rather than manually adding them. A lot of times OS level changes do not carry over after upgrades and you could encounter an issue when you perform one because of this.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Mar 20, 2024

    FrontmanFin In order to assist you further please provide the routing table for the F5, the output of the following command when in bash, and the destination for the TACACS server/s.

    route -n

  • CeinarF's avatar
    CeinarF
    Icon for Employee rankEmployee
    Mar 21, 2024

    Hello,

    as specified in https://my.f5.com/manage/s/article/K28172750 if you need to use the management interface to communicate with the remote authentication server outside management subnet, then you must add a static management route that is more specific than any TMM routes to this server.

    To add a management route just follow article https://my.f5.com/manage/s/article/K13284 

    tmsh create /sys management-route <name> network <destination network>/<netmask> gateway <management gateway

    tmsh save /sys config

    BR

    • FrontmanFin's avatar
      FrontmanFin
      Icon for Altostratus rankAltostratus
      Mar 21, 2024

      interesting (cant copy and paste the config but ill elaborate)

       

      I did make management routes and it didnt work. I compared this to one of the correctly working F5s and im noticing that all the management routes for the working box show up in the routing table in route -rn with the Iface being mgmt.

       

      but in my broken box, thats not to case, the Kernel IP routing table doesn't show the mgmt routes i created at all.

       

      Is there something I need to do to update the Kernel IP routing table?

       

       

  • CeinarF's avatar
    CeinarF
    Icon for Employee rankEmployee
    Mar 21, 2024

    FrontmanFin creating and saving a management route via tmsh must create an entry in the netstat -nr routing table.

    If this is not going to happen it should be related to a problem in the BIG-IP instance, so  I don't think you have solved the "real" problem.

    BR