Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Unable to browse to the internet from F5 CLI

Hi There,

I am trying to setup F5 VE in ESXi host. Version of F5 VE I am using is VE 13.0. Issue that I am having right now is from F5 CLI I am unable to get out on the Internet i.e. unable to Telnet to say 8.8.8.8 443.

Error that I am getting is No host to route.

In my ESXi host I have standard vSwitch with two NIC public and private. I have assigned the right public to F5 external interface, created a default gateway and a selfIP with allowed port default. However I am still unable to get on the Internet from the F5.

Is there something I am missing?

Any help will be highly appreciated

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you configured route on the device ? Can you ping the 8.8.8.8 IP address ?

0
Comments on this Answer
Comment made 22-Mar-2017 by mr.evil 279

Yes, I did create an external_GW route and assigned the public IP GW to it... however I am getting destination is unreachable.

0
Comment made 22-Mar-2017 by Kees van den Bos 814

Can you ping the gateway?

0
Comment made 23-Mar-2017 by mr.evil 279

Unfortunately no.

This the setup ESXI host with 4 physical NIC ( 2 of them are connected, one of private and other for public) F5 VE has following interfaces

1.1 ---> not configured

1.2 --> set for external (ESXi Public interface is connected to this F5 1.2 interface, confirmed by looking at the MAC address in Vmware )

1.3 ---> not configured

In F5 I have external_gw route xxx.xxx.xxx.113

vLAN_EXT assigned to interface 1.2

SelftIP for EXT is xxx.xxx.xxx.126/28

There is no forwarding VIP configured.

That's the VE configuration so far.

Thanks

0
Comment made 28-Mar-2017 by mr.evil 279

This is what I found out, it appears that there are two physical NIC configure in ESXI host (private and public)

However the Private NIC has been trunked to carry three subsets ( 10.13x.x.x./26 (MGMT) , 10.4x.0.0/27 and 10.4x.0.0/26 (both private) ). I can confirm from the ESXI cli I am able ping each Default GW of each subnets however from F5 I am only able to ping 10.13x.x.x./26 as I have added 10.13x.x as default route. So in f5 VE I have tried to create a trunk with NIC 1.1 (internal) and 1.3 (HA) but unable to assing the trunk to a vLAN getting the an error "vLAN needs to be assign to one interface", after reading through some article it does suggest VE do support trunking however in my case I am unable to do so.

Can someone please tell me whether F5 13.0 VE does support trunking or if I am missing something.

Thanks

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi. Do you have management interface configured ? I think cli uses it

0
Comments on this Answer
Comment made 28-Mar-2017 by mr.evil 279

Yes I do, that is now I can get on the CLI and or GUI

0
Comment made 28-Mar-2017 by Sergi Munyoz 122

Hi. Never tried to use vlans on VE, don't know if supported why don't you start with a simple config ? Management on eth0, public on eth1 and a private network pn eth2 f.ex. ? After it works then you can add vlans and maybe question will be answered itself What I can give you is a sample routing table of my VE (simple deployment like previous example)

Destination Gateway Genmask Flags Metric Ref Use Iface 127.1.1.0 * 255.255.255.0 U 0 0 0 tmm 192.168.112.0 * 255.255.255.0 U 0 0 0 internal 192.168.113.0 192.168.112.127 255.255.255.0 UG 0 0 0 internal 192.168.113.0 * 255.255.255.0 U 0 0 0 eth0 192.168.111.0 * 255.255.255.0 U 0 0 0 external 127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 * 255.255.0.0 U 0 0 0 tmm_bp default 192.168.111.127 0.0.0.0 UG 0 0 0 external default 192.168.113.183 0.0.0.0 UG 9 0 0 eth0

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

In F5, Network adapters mapping is:

  • VMware Net Adapter 1 : F5 Mgmt
  • VMware Net Adapter 2 : F5 1.1
  • VMware Net Adapter 3 : F5 1.2
  • VMware Net Adapter 4 : F5 1.3

In VMware, vlan tagging in VM is only supported is vSWITCH is defined with a VLAN ID 4095

Look at this documentation:

https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004252

F5 VE does not support Trunks (link aggregation). this feature is only supported on hardware appliances.

0
Comments on this Answer
Comment made 28-Mar-2017 by Sergi Munyoz 122

I think he talks about Cisco interfaces in trunk mode (vlan tagging) Nice research about VM, I didn't know tagging could be done this way, directly on VM ethernet Thanks

0
Comment made 28-Mar-2017 by Stanislas Piron 10677

I agree with you about the misunderstanding with trunks. that's why I talked about both features.

even if VMware support VM vlan tagging, I recommend to add network adapters to the virtual appliance instead of using VLAN tagging.

VMWare support up to 10 virtual adapters per VM.

0
Comment made 28-Mar-2017 by Sergi Munyoz 122

This is what I've done always with generic VM's... So, can be VMnet adapters added to F5 VE ??? Because maybe is an easy way to solve this question, add adapters, one per vlan needed

0
Comment made 28-Mar-2017 by Stanislas Piron 10677

Of course you can add network adapters.

look at this documentation about how to add new adapters.

1
Comment made 28-Mar-2017 by mr.evil 279

Thanks guys, last night I did manged to ping all the private vLAN from F5 CLI after deleting all the NIC from VE downloading form the F5 website and re-adding them. For external it is still not possible as the ESXI host doesnt have any physical connection between ESXI and switch responsible for external traffic.

This is not the only issue I am facing, the bigger issue is infrastructure MGMT network and f5 MGMT network is also sitting on the same and also infrastructure MGMT is used to route traffic to all the MGMT devices i.e. DNS/AD etc. So I am unable add a route for for all internal traffic to use the same default GW because that is also F5 MGMT IP.

I will have do something like this - https://devcentral.f5.com/questions/management-external-networks-on-same-subnet-physical-network which will be time consuming unless anyone else any other ideas?

0
Comment made 28-Mar-2017 by Sergi Munyoz 122

Hi I have done three setups and two work without using mgmt interface (one of these two is an HA pair). Is not a problem. You can manage through any other interface self ip. All you need to do is allow ports on port lockdown I think

0
Comment made 28-Mar-2017 by mr.evil 279

Hi Sergi Munyoz thanks for that, what is what I am trying to do now, if I can get to MGMT using one of the private vLAN i can then change F5 MGMT network. Do you know whether I will need to create forwarding VIP? after I have created the vLAN, assigning the SelfIP with Allow Default option?

0
Comment made 28-Mar-2017 by Sergi Munyoz 122

No VIP needs to be envolved. You have interfaces, then create internal vlan linked to that interface, and then self ip linked to vlan. On this self ip put the option to allow default or allow any and you can get into GUI or cli. Of course you need to add a route to reach real mgmt network from this ip to get traffic between them

1
Comment made 28-Mar-2017 by mr.evil 279

Thanks, so this is what I tried. CLI into F5 VE from ESXI, Set F5 MGMT to 192.168.1.2/24 network ( this network is unreachable )

TMSH into F5 and ran the following commands:

tmsh create net self Internal address 10.xx.xx.245/26 traffic-group traffic-group-local-only vlan internal allow-service all

and created a route create /net route 10.0.0.0/8 gw 10.xx.xx.193

However I am unable to ping 10.xx.xx.245 or unable to ping out of the F5 ...

Am i doing something wrong ?

please note gw 10.xx.xx.193 is the real MGMT gw for the infrastructure.

Thanks,

0
Comment made 29-Mar-2017 by Stanislas Piron 10677

Hi,

why did you delete all the existing NIC?

I advised you to create new NIC, not to delete the existing ones.

depending of the version you downloaded, you may be in "Single NIC" mode.

The best solution is to re-import the OVA.

In VMWare, create as many VLANs as required and link it to the ESXi physical Interface

  • VLAN_DMZ (Tag 10) --> vmmic0
  • VLAN_Private (Tag 20) --> vmnic0
  • VLAN_HA (tag 30 --> no Virtual Nic if both VM are hosted on the same ESX server
  • VLAN_XXX (tag 40) --> vmmic0
  • VLAN_MGMT (tag 50) --> vmmic0
  • VLAN_YYY(tag 60) --> vmmic0

Then, in the F5 VM parameters, create X new Adapters as required and map to:

  • Ethernet0 --> VLAN_MGMT
  • Ethernet1 --> VLAN_Private
  • Ethernet2 --> VLAN_XXX
  • Ethernet3 --> VLAN_DMZ
  • Ethernet4 --> VLAN_YYY
  • Ethernet5 --> VLAN_HA

In F5 Configuration, create VLAN with properties:

  • VLAN_Private (tag 20) --> Interface 1.1 (untagged)
  • VLAN_XXX (tag 40) --> Interface 1.2 (untagged)
  • VLAN_DMZ (tag 10) --> Interface 1.3 (untagged)
  • VLAN_YYY (tag 60) --> Interface 1.4 (untagged)
  • VLAN_HA (tag 30) --> Interface 1.5 (untagged)
0
Comment made 30-Mar-2017 by Stanislas Piron 10677

This part is wrong!!!!!!!

  • vLAN_Private_1 assigned to int 1.1
  • vLAN_Private_2 assigned to int 1.1
  • vLAN_External_1 assigned to int 1.2
  • vLAN_Others_1 assigned to int 1.3 ----> technically this isn't in use

In VE, do not assign same Interface for multiple VLANS

follow my previous comment to create new VMWARE vlans, and assign them to F5 VE vNIC

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

create /net route 10.0.0.0/8 gw 10.xx.xx.193

Maybe is a problem with mask... /8 seems to overlap with

tmsh create net self Internal address 10.xx.xx.245/26

Or directly a problem with vlans and interfaces as Stanislas says

0
Comments on this Answer
Comment made 30-Mar-2017 by mr.evil 279

Looks like I have manged to this working - Thanks to you all for your inputs, I am able to ping the Internal Private vlANs.

Why did I have all these confusions? Unfortunately I am helping a site without much knowledge about the network (remotely helping out).

Working config

Start all over again after re-importing the OVF file, assigned right v NIC ( only have two physical nics, Private trunked at the router, Public nic ) MGMT, Internal and HA assigned with Private and External with public

Assigned MGMT IP to the F5 VE

GUI into F5 using MGMT IP, activate license and installed additional modules.

Create vLANs as follows:

vLAN_Private_1 assigned to int 1.1
vLAN_Private_2 assigned to int 1.1
vLAN_External_1 assigned to int 1.2
vLAN_Others_1 assigned to int 1.3 ----> technically this isn't in use

Create selfIP for Private vLANs

vLAN_Private_1_selfIP 10.xxx.xxx.66/27 vLAN_Private_1 port lockdown default
vLAN_Private_2_selfIP 10.xxx.xxx.226/27 vLAN_Private_2 port lockdown default
vLAN_External_2_selfIP xxx.xxx.xxx.124/28 vLAN_Extrenal_1 port lockdown none

At this point I am able to ping vLAN_Private_1 and vLAN_Private_2 from F5 CLI

Create VIPs for internal network to get to vLAN_Private_1 and vLAN_Private_2 - this is important to have else wont be able to ping from outside F5 into F5, and this will also allow to get to f5 MGMT portal

Internal_traffic_1

src 10.0.0.0/8 dst 10.xxx.xxx.64/27 enable vlan vLAN_Private_1

Internal_traffic_2

src 10.0.0.0/8 dst 10.xxx.xxx.224/27 enable vlan vLAN_Private_2

At this point I was able to ping 10.xxx.xxx.66 and 10.xxx.xxx.226 from MGMT network i.e. 10.xxx.xxx.218 - self_ip for each private vLANs, I also did a TCP dump to make sure that the traffic is getting into F5 from 10.xxx.xxx.218

Now moving into external traffic out from F5

Create default route

External_route src 0.0.0.0 mask 0.0.0.0 gw xxx.xxx.xxx.113

At this point I have tried to ping the GW xxx.xxx.xxx.113 - I am unable to do so.

Does anyone know how to resolve this?

Thanks,

0