Forum Discussion

eli1234_26783's avatar
eli1234_26783
Icon for Nimbostratus rankNimbostratus
Nov 21, 2012

ICMP redirect supported on LTM VE ?

Hello,

 

My servers's default gateway is the LTM's floating IP and I would like to configure static routes on the LTM to forward VPN traffic to the FW. Other load balancers support ICMP redirect to avoid unnesseary traffic.

 

Is it possible to configure ICMP redirect on the LTM for static routes ?

 

 

Thank you,

 

Regards,

 

Eli.

 

6 Replies

  • This article suggests LTM accepts ICMP redirects: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_tmos_concepts_11_0_0/tmos_packet_filters.html?sr=254693211185763.

     

     

    However, I think you want to send them right?
  • Correct, I want the LTM to send ICMP redirects to the servers to direct the VPN traffic to the FW...

     

    When I used Wireshark I didn't see the ICMP redirect message.
  • mchaas's avatar
    mchaas
    Icon for Nimbostratus rankNimbostratus

    Hi, I appreciate that this thread is quite old already, but I want to follow up anyway. I once raised a similar request towards support. I would really love to see this implemented in iRules, for example. SIDEBAND, for example, is able to establish tcp sessions and send udp datagram. This could be extended to also be able to send crafted icmp messages. Did anybody raise a request like this with support as well? Did anybody find a different solution to this? Regards, Matt

     

  • mchaas's avatar
    mchaas
    Icon for Nimbostratus rankNimbostratus

    Hi, I am not trying to achieve resilience by sending icmp redirects. I don't think that Eli was either.

     

    I have a bunch of servers. Each of them has their default-gateway pointing to the Loadbalancer in order to be able to receive non-snatted, loadbalancened traffic to their single one IP address. There is also a firewall in this subnet: Assume Server A initiating a tcp-session with Server B in order to send a big file. It sends the SYN to the loadbalancer which would forward according to its config. All traffic from Server A to Server B would have to pass the BigIP. By making the bigip send icmp redirects for specific hosts, it could make the server install temporary routes pointing to the firewall for this and subsequent transmissions.

     

    There is an iRule Command "SIDEBAND" that can be used to craft udp datagrams. I guess I will raise an RFE to also be able to craft icmp datagrams there.

     

    Cheers, Matt

     

  • mchaas's avatar
    mchaas
    Icon for Nimbostratus rankNimbostratus

    To me, the answer is quite easy: Administrative overhead. It's static routes to maintain on hundreds of servers vs. one iRule containing three lines of code configured on a central point in the network. And personally, I don't see a reason why udp and even tcp are available in iRules with sideband, and icmp is not, it should be relatively easy to implement, and low-cost with regards to resource-consumption on the LTM.

     

  • Hello, Has anyone figured out how to do ICMP redirect with F5? using a command? or irule?

     

    Thanks. Regards, -lmn