Forum Discussion

Grayson_149410's avatar
Grayson_149410
Icon for Nimbostratus rankNimbostratus
May 24, 2016

Routing with LTM Issues - Can't See Floating IP

We are in the process of creating a new network where we plan on doing nothing but automation. We want the LTM to act as the router so we can maintain source and not have to do Automap. Nothing that I do works and I am stumped. I even change the port lock down to allow all just to see if that was it, but wasn't. Any ideas?

Here are the devices being used to test this below.

The 3 machines I am using to test this are highlighted in yellow in the picture. The two VMs can ping each other no problem.

 Network:  172.19.68.0/22

 VMW7NETSEC = 172.19.68.30 
       Mask = 255.255.252.0
         DG = 172.19.68.5

 VMW7NETSEC2 = 172.19.68.32 
        Mask = 255.255.252.0
          DG = 172.19.68.5

DEV-LTM

This is the configuration of the Float and Self IP. The VLAN has been created and tagged as 323 on interface 1.3. I have verified that the MAC address of that interface matches on the vcenter side

The VLANs have been tagged on UCS and know that the two devices acting as "servers" can ping each other and are on same VLAN and should be able to ping and get to the LTM since this is host to host communication and is proven to work or the two VMS couldn't ping each other.

net self /Common/Float_Prod_HC_Web {
address 172.19.68.5/22
allow-service {
    default
}
traffic-group /Common/traffic-group-1
vlan /Common/Prod_HC_Web

net self /Common/Self_Prod_HC_Web {
address 172.19.68.4/22
traffic-group /Common/traffic-group-local-only
vlan /Common/Prod_HC_Web

12 Replies

  • A few questions, I'm trying to narrow the search area.

     

    Can you confirm your issue is that as you're trying to ping the Floating-SelfIP (172.19.68.5) from one of the VMs in same network, there's no response? If yes, have you tried using tcpdump on BigIP yet - do you see ICMP echo requests coming in, and if not, do you see any ARP who-is requests? Is the situation any better with the Local-SelfIP (172.19.68.4) - does it respond to ICMP as intended?

     

    • Grayson_149410's avatar
      Grayson_149410
      Icon for Nimbostratus rankNimbostratus
      Neither the Self IP (.4) nor the Float IP (.5) are able to be pinged from those VMs. I am seeing on another server on the same VLAN sending requests to the LTM and I see this: 13:56:40.754585 ARP, Request who-has 172.19.68.20 tell 172.19.68.4,
    • Grayson_149410's avatar
      Grayson_149410
      Icon for Nimbostratus rankNimbostratus
      Also to add, I just ran a capture and I am seeing ARP requests for both the Self and Float: 14:02:54.822595 ARP, Request who-has 172.19.68.4 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 14:02:55.782239 ARP, Request who-has 172.19.68.5 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      It could be a VLAN tag-mismatch problem. What happens if you temporarily set Prod_HC_Web VLAN as "untagged" on 1.3 tmm interface? Does it change anything ?
  • A few questions, I'm trying to narrow the search area.

     

    Can you confirm your issue is that as you're trying to ping the Floating-SelfIP (172.19.68.5) from one of the VMs in same network, there's no response? If yes, have you tried using tcpdump on BigIP yet - do you see ICMP echo requests coming in, and if not, do you see any ARP who-is requests? Is the situation any better with the Local-SelfIP (172.19.68.4) - does it respond to ICMP as intended?

     

    • Grayson_149410's avatar
      Grayson_149410
      Icon for Nimbostratus rankNimbostratus
      Neither the Self IP (.4) nor the Float IP (.5) are able to be pinged from those VMs. I am seeing on another server on the same VLAN sending requests to the LTM and I see this: 13:56:40.754585 ARP, Request who-has 172.19.68.20 tell 172.19.68.4,
    • Grayson_149410's avatar
      Grayson_149410
      Icon for Nimbostratus rankNimbostratus
      Also to add, I just ran a capture and I am seeing ARP requests for both the Self and Float: 14:02:54.822595 ARP, Request who-has 172.19.68.4 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 14:02:55.782239 ARP, Request who-has 172.19.68.5 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      It could be a VLAN tag-mismatch problem. What happens if you temporarily set Prod_HC_Web VLAN as "untagged" on 1.3 tmm interface? Does it change anything ?
  • It is likely that you don't have a wildcard forwarding virtual server to handle the traffic being sent.

     

    See: https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595/

     

    Port Lockdown handles the ports your self IP will listen on for administrative connections.

     

    See: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17333

     

    The BigIP is a default deny device, and if it does not have a listener configured for the traffic reaching it it will either ignore or reset that traffic.

     

  • Since the formatting in the comment was totally hosed:

    For the closest approximation of stateless IP forwarding, F5 recommends that you create an IP forwarding wildcard virtual server similar to the following example:

    ltm virtual /Common/vs_wildcard_forwarding {
        destination /Common/0.0.0.0:0
        ip-forward
        mask any
        profiles {
            /Common/my_route_friendly_fastl4 { }
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
    }
    
  • Just wanted to update that I am seeing ARP requests to the LTM and LTM doesn't know what to do.

    14:02:54.822595 ARP, Request who-has 172.19.68.4 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 
    
    14:02:55.782239 ARP, Request who-has 172.19.68.5 tell 172.19.68.32, length 130 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
    
  • Basically, I am only seeing the ARP request and then just stops there. It's like the LTM doesn't know how to respond and this is new territory for me.