ICMP replies

Question

I have configured a VS for my real server/pool network so users/servers can connect to my pool server network directly:&nbsp;
&nbsp;virtual Inbound-server-vlan137 {
&nbsp;ip forward
&nbsp;destination 10.210.137.0:0any
&nbsp;mask 255.255.255.0
&nbsp;vlans external enable
&nbsp;}&nbsp;
&nbsp;self 10.210.137.10
&nbsp;netmask 255.255.255.0
&nbsp;vlan vlan137
&nbsp;allow all&nbsp;
&nbsp;The problem I have is that we have about 10 hosts behind this network and they all respond to ping, however looks like the whole subnet replies to ping. The F5 is sending the ICMP reply, but the host doesn't exist on this subnet, I would like to stop this. This isn't ideal, I want the server not the F5 to reply for obvious reasons.&nbsp;
&nbsp;Thanks,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

nitass · Answer

it seems not possible. 
&nbsp;  
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/1173012/showtab/groupforums/Default.aspx 
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/34621/showtab/groupforums/Default.aspx

portoalegre · Answer

I can understand a filter would be useful to secure your network on a DMZ, however with F5's providing load balancing on your internal network I don't seem this as a major requirement especially when servers behind the F5 connect to databases, monitoring servers etc on other internal networks....administration overhead.&nbsp;
&nbsp; Currently have a problem - we need to build new Unix servers on a pool network behind the F5 the boot build server which sits on a seperate network not behind the F5 sends out a ping to see if anyone has the new address allocated, if the ICMP reply is received (in my case the F5 sends back ICMP reply) you cannot build the server, because the the specific boot server thinks the IP is already taken. &nbsp;&nbsp;

nitass · Answer

Currently have a problem - we need to build new Unix servers on a pool network behind the F5 the boot build server which sits on a seperate network not behind the F5 sends out a ping to see if anyone has the new address allocated, if the ICMP reply is received (in my case the F5 sends back ICMP reply) you cannot build the server, because the the specific boot server thinks the IP is already taken. just wondering if dropping icmp reply using packet filter is helpful (i know it is not a fix actually).

portoalegre · Answer

That would be helpful, a part from the fact that some of our monitoring applications use ICMP heartbeats to monitor servers behind the F5. So this would need to be implemented after hours which isn't ideal. &nbsp;
&nbsp; This is a real problem and should be looked at by F5 Developers, ICMP is a protocol that is used for many purposes and the F5 LTM should not repsond in this manner, other devices like Cisco ACE do not! &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

nitass · Answer

This is a real problem and should be looked at by F5 Developers, ICMP is a protocol that is used for many purposes and the F5 LTM should not repsond in this manner, other devices like Cisco ACE do not!to let them know, please open a support ticket and submit request for enhancement. 
&nbsp;  
&nbsp; cheer!

Forum Discussion

ICMP replies

8 Replies

Recent Discussions

Transaction looks successful but file not downloading

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

icmp of management firewall

no reply from big3d: timed out

ICMP Custom Source Address Monitor

ICMP packets on a TCP monitor

In nPath configuration, BIG-IP does not send ICMP reply to the L3 switch.