Forum Discussion

F5_Jeff's avatar
F5_Jeff
Icon for Cirrus rankCirrus
Nov 14, 2016

Self IP cannot be ping from Standby N7k

Hi everyone!

 

We were having trouble in pinging the self IP of the F5(Active and Standby) from the standby N7k. But when we tried sending ping from Active N7k, we were able to ping the self IPs of the F5.

 

We captured some packets and saw a message " Destination unreachable ( Network Administratively Prohibited).

 

What can be the possible cause of this? And what can we do?

 

We have searched some knowledge base and found about the packet filtering setting but we dont think this was the cause because we didnt do any changes on the settings.

 

Thank you.

 

4 Replies

  • Additional information:

     

    the F5 is directly connected to the N7k. N7k is the next hop of the F5.

     

    Thank you.

     

  • I would venture to guess that this is more of a network configuration issue than an F5 issue. It is tough to assist without any information regarding your setup. Is it possible to failover between Active/Standby N7K and ping from the past standby (current active) N7K ?

     

    Assuming you have HSRP set up between N7K, can you ping the floating and non-floating IP from the F5 ?

     

  • Can you start troubleshooting from layer 1 and go up in the layers? Is the network cable done correct, so if shutdown the port in the Cisco does it goes down in the correct F5? Do you learn the mac address of the standby unit?

     

    One thing to take into account, is the fact that you have a forward vs, and if arp is enable for that virtual address, only the active will reply to pings. Secondly, the AFM can be configured in ADC mode or Firewall mode, I guess firewall mode will not reply to ICMP unless there a rule to allow that. Third thing is about the configuration when using HSRP or VRRP, because F5 auto last hop things complicate a little bit, but there are documentations about that.

     

    You can also take a tcpdump in the active and standby unit, and check with listener is handling the ICMP, so virtual server/self ips/etc...

     

    Some useful solutions:

     

    https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-1/1.html

     

    https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9487.html

     

    https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13142.html

     

    https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html

     

  • I assume with the Nexus you are using virtual port channels? It's common that when pinging from a standby Nexus that the reply is sent to the primary HSRP on the other switch. The loop prevention setup inherent as part of the vPC configuration can silently drop packets that are seen to crossing the vPC peer link.