AltostratusHi F5 guys,
I configured a wildcard outgoing VS for internal user outgoing traffic, the VS has a gateway pool with ISP A and ISP B gateway address.
However, I found the outgoing always rely on one ISP, if I unplug or disable this ISP link will make the connection failure, it seems the link load balance purposes.
Could you please advise?
Thanks a lot,
Angus
CumulonimbusHello Angus,
First of can you tell me if you set snat automap or snat pool on your VS? Additional I recommend you to set transparent monitor in order to validate that your ISP is functional (it has internet access).
Regards,
EmployeePlease can you share the configuration: VS, pools etc? It is a bit odd that it only selects one ISP in your pool. Is there any irule in place?
AltostratusI set a wildcard VS with source 0.0.0.0 and dest 0.0.0.0, the pool is a gateway pool with 2 ISP link gateway (Round robin load balance). No any irule applied.
I keep ping the public IP and then unplug of the ISP link, the ping result will become destination host unreachable until one re-plug the ISP which I unplugged.
EmployeeCan you send the output of tmsh list ltm pool you_pool and tmsh list ltm virtual your_virtual?
Altostratusltm virtual vs_wildcard { destination 0.0.0.0:any mask any pool GW_Pool_Round profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vlans { Internal } vlans-enabled vs-index 26 }
ltm pool GW_Pool_Round { members { 203.193.x.x:any { address 203.193.x.x session monitor-enabled state up } 218.213.x.x:any { address 218.213.x.x session monitor-enabled state up } } monitor gateway_icmp }
Thanks Daniel!
EmployeeTo be honest I don't see where the problem can be. I'd recommend you to open a support case. In addition you can add an irule to log information about the load balance decissions, active members, etc:
when LB_SELECTED {
log local.0 "Active members: [active_members [LB::server pool]]"
log local.0 "Pool member: [LB::server addr]:[LB::server port]"
}
A packet capture will help to see what is happening underneath, destination mac address, etc.
Sorry to not be of more help.
CirrostratusHi
In your case, It seems that ISP bgp setting seems to wrong.
but If ping dst IP is belong to just one ISP, dst unreachable is expected result.
First, ping to google(belong to lots of ISP), unplug one ISP, stop ping and retry ping.
Second, check ISP`s bgp hold time. -> normally long as you expected.
thank you.
AltostratusI opened tech case, it seems the normal behavior on F5.
It looks you kept the ping tool running all the time. This should not exist if you stop the command and then run it again after 10 seconds. This is due to that even for ICMP traffic, there will be a connection established in connection table. The entry in the connection table won't be removed even if the member is down.
That's ok just need to explain to customer.