Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

VIP Bounce - I am facing a Show stopper

Dear Team,

 

My network is as follows

 

 In my scenario , servers and vip resides in same network . Default gateway of servers are Core switch .

Following is I have done

1) Created a internal VLAN ( etherchanneled) 

2) Created SelfIP- Non floating ( 172.16.4.40)

3) Created SelfIP - Floating  (172.16.4.43)

4) Created VIP  - 172.16.4.45

default gateway of F5 is 172.16.4.1 ( core switch which is the default gateway of servers too)

 

I have created SNAT ( autonat) on the VIP .

 

issue what i am facing is when i access the real IPs 172.16.4.31 and 172.16.4.36 on port 8006 portal works with out any issues . Nevertheless when i access it through 172.16.4.45 which is VIP , clients are not getting any response ( getting as connection interrupted)

I have no clue why even after SNAT this issue is happening. i have target of finishing this task tomorrow and still i am no where in resolving this.

 

Can somebody help me out in this?

 

thanks a ton in advance

 

Paddy

 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The first thing you need to do is capture the traffic between the client and F5 and between F5 and servers. With TCPDUMP listening on your single VLAN (from management shell) you should see clients hit the .45 VIP and you should see traffic from .43 (floating self-IP) to the server IPs (good 3-way handshake and data).
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I could see the traffic from client to the the VIP but no traffic from 172.16.4.43 to the server and it is more over sending a RESET Packet.

20:47:07.043748 IP 172.16.11.54.55097 > 172.16.4.45.http: S 151411023:151411023(0) win 8192
20:47:07.043790 IP 172.16.4.45.http > 172.16.11.54.55097: S 2816589295:2816589295(0) ack 151411024 win 4380
20:47:07.044010 IP 172.16.11.54.55097 > 172.16.4.45.http: . ack 1 win 16425
20:47:07.044245 IP 172.16.11.54.55097 > 172.16.4.45.http: P 1:338(337) ack 1 win 16425
20:47:07.044317 IP 172.16.4.45.http > 172.16.11.54.55097: . ack 338 win 4717
20:47:19.644146 IP 172.16.4.45.http > 172.16.11.54.55097: R 1:1(0) ack 338 win 4717
20:47:19.645207 IP 172.16.11.54.55099 > 172.16.4.45.http: S 2064180093:2064180093(0) win 8192
20:47:19.645237 IP 172.16.4.45.http > 172.16.11.54.55099: S 2171284925:2171284925(0) ack 2064180094 win 4380
20:47:19.645519 IP 172.16.11.54.55099 > 172.16.4.45.http: . ack 1 win 16425
20:47:19.645641 IP 172.16.11.54.55099 > 172.16.4.45.http: P 1:338(337) ack 1 win 16425
20:47:19.645698 IP 172.16.4.45.http > 172.16.11.54.55099: . ack 338 win 4717
20:47:32.245260 IP 172.16.4.45.http > 172.16.11.54.55099: R 1:1(0) ack 338 win 4717


why is it so , am i doing any mistake.. i am getting exhausted!!
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

i couldnt see any out packet on snat statistics as well

 

 

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The fact that you don't see ANY layer 3 or 4 data to the servers most likely indicates either a layer 2 or config issue. Please 1) verify your etherchannel configuration, 2) make sure you can ping these servers from the F5 and that ARP addresses are correctly resolved, and 3) observe your /var/log/ltm log data for any possible anomalies.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Kevin for your prompt replies.

 

1) verify your etherchannel configuration

      I have created trunk  (1.1 and 1.2) and allowed vlan # on it  this VLAN is same as the serverfarm and VIP . I havent configured LACP on it. On the cisco switch side , i have configured etherchannel and mode has been configured as desirable. Is it a wrong config  ? do i have to add anything further?

 

2) make sure you can ping these servers from the F5 and that ARP addresses are correctly resolved,

  I am able to ping the all the  servers from the load balancer . However , initially i was not able to ping the default gateway and it was not showing the arp as well. When i statically added the mac-address of the Core switch , i was able to reach the gateway. I thought that this would be some kinda arp issue. but couldnt relate it to any etherchannel related issue as "only" the gateway |from the F5 box"wasnt reachable but from anywhere in the lan ( other subnets as well) i was able to ping the VIP. (172.16.4.45)

3) observe your /var/log/ltm log data for any possible anomalies

 Couldnt actually observer any other than abnormal other than a real server issue which was genuine and has been taken out from the pool.

 

Any clues , where should actually peek in to , since i have no clue , how should i address this tomorrow :-(

 

-Paddy

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Paddy - so why is your vip on the same subnet as your servers? Do you only have one interface on the LTM or do you have an internal and external interface configured? if your vlan configured on the f5 on the internal interface, you won't need to use SNAT -
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Okay, so just to be clear, your clients, F5, and servers are all on the same network segment, not crossing anything greater than a layer 2 device (switch), correct? The clients can directly access the servers on the same network and can ping the F5's VIP, and you can ping the servers from the F5. The gateway shouldn't matter at all if everything is on the same subnet. You have SNAT enabled you should see traffic to the servers coming from the F5's self-IP. That part is correct. Again, the most likely issues are config or layer 2-related. Please do the following:

1. Can you please post and/or describe your config.

2. After you ping the server from the F5, check the F5's ARP table for correct hardware addresses.

3. Do you have any iRules applied to the VIP?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Also - is this the first configuration on this LTM or do you have other vips currently on it?

Do you have a default route setup on the f5?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Kevin,

 

Clients are in different segment (172.16.11.x/12.x/13.x etc) 

Servers are in (172.16.4.x and on VLAN 4) , VIP is also in (172.16.4.x same VLAN) . Customer dont wanted to change the gateway of servers while introducing the F5 box , that is the reason being designed in this one arm mode and they are not ready to introduce a new network for the VIP range and hence the servers and VIP are in the same network.

 

from the F5 box , i am able to reach the servers which are in 172.16.4.x network how ever i am not able to reach the gateway 172.16.4.1 until and unless i add a static arp entry.  

 

is LACP compulsory if i use trunking on f5 ? 

 

1) Configuration is attached herewith.

2) ARP entries are correct and has been verfied.

3) No irules it is very basic config. Since i am not able to proceed with minor load balancing configuration ,i am not in a position to proceed with anything.

 

 

 

=~=~=~=~=~=~=~
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

J,

 

yes this is first configuration on this box , 

 

there is no other VIP configured on this box

 

Default route ( gateway) has been configured , but not pingaeable until and unless i put static arp entry !!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Having reviewed the config, the most unusual thing I can find is that you've disabled port and address translation. Is this a standard virtual server? You said earlier that the servers were listening on port 8006 though you're accessing the VIP on port 80, so at a minimum you need port translation. I would re-enable port and address translation. You also probably don't need to add an HTTP class to the virtual server and don't have to disable NAT on the pool.

To your last question, LACP is not compulsory with trunking. It should only be required if the downstream device requires it.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I have this same issue, we have about 15 paritions on a single VCMP guest. However, only the one-arm mode partitions have this issue. We only have 4 out of the 15 that are in one-armed mode. It appears the LTM does not respond to ARP requests that it is receiving when in one-armed mode. That is what I can tell from packet captures. I have a case open. Hopefully support can help.
0