New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service_Forwarding objects should disable arp and icmpEcho #325
Comments
You can take control of the virtual address parameters by explicitly defining the virtual address in your declaration using the Service_Address class: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/miscellaneous.html#advertising-a-route-for-a-service-address |
Thank you, I did not find that when I was looking for answers on my own. But AS3 should have sensible defaults that align with TMSH. |
Is this issue going to remain "invalid?" I feel it's a valid issue where AS3 requires me to separately create a Service_Address object in order to implement the normal TMSH defaults for a larger-than-/32 virtual-address. This is especially true in the case of a shared 0.0.0.0/0 address. This sort of thing should just work. Would it help if I also opened a case with F5 Support? |
Unfortunately AS3 defaults cannot change without changing the behavior of older declarations. One of AS3's highest priority design goals is to never break older declarations. |
Can we take a vote? (Ha!) This behavior is broken, at least for Service_Forwarding objects. Virtual-addresses created by these should not be answering ARP or ICMP-echo. Am I the only one using these? |
OK, I get it: no vote. Please, consider this situation which is very common for us: We need to create virtuals that route traffic from 'inside' VLANs to 'outside' VLANs, using the destination 0.0.0.0/0:0. We should be able to simply use virtualAddresses: [0.0.0.0/0] along with shareAddresses: true. We can do this, and AS3 will do it all automatically (thanks to the fixes in 3.22.1, right?). But that leaves us answering all ARP requests and ICMP requests on all VLANs we're on. Triggering servers whining about "duplicate IP detected" and the like. This is not the way! What do you suggest we do instead? Should we define "/Common/Shared/addr_0.0.0.0" in a separate declaration that is then referenced by each Tenant? We have tried adding 'addr_0.0.0.0' to the application, but it is created within the Tenant's partition (even though shareAddresses: true!). What is the use case for configuring arp/icmp enabled on 0.0.0.0/0? Does anyone want this? (What about other smaller subnets?) |
We did this. We created a Shared declaration that creates:
We deployed that, and it looks fine:
But then we deployed the passthru Tenant: with a virtual like so:
The cli script generated has "mask 255.255.255.255" which causes our /Common/Shared/va_0.0.0.0_0 to get assigned a mask of 255.255.255.255. Perhaps this should be a separate issue. I'm now officially at my wits end. I don't see a means to build the tmsh-default stuff using AS3 here. edit: Sorry, it was a very long day. Submitted new issue #339 (but I still don't understand these defaults). |
@wncocz I understand the current defaults are frustrating for you. When these features were added we were unaware that virtual-address objects had different defaults based on the IP address. Changes to defaults after a feature is released means there is a change in behavior that could break a customer's setup when they upgrade. That being said, I do see a potential case for calling this a bug. Not because the default is different from tmsh, but because the user would expect AS3 to generate a reasonable virtual-address object when only an IP address is given on a Service_* declaration. I would like to gather some additional information before we go down that route though.
|
Assuming you meant #339 -- It looks like my /Common/Shared/va_0.0.0.0 no longer gets its mask clobbered, so that is good.
I'm not aware of any use cases for either of these. They both sound like bad recipes. |
Yes, I meant #339. Thank you for your additional feedback. I will pass it on to the developers. |
Added AUTOTOOL-2265 to our internal product backlog to make sure that Service_Forwarding classes do not generate virtual-address objects that have arp and icmp-echo enabled. Thank you for your patience and assistance in helping us better understand this issue. |
Thank you for all your help on this. We just tried a declaration equivalent to the original in Steps to Reproduce with AS3 3.27.0 (on BIG-IP 14.1.4.1), and it works as desired. The /Common/0.0.0.0 v-a is automatically created with the correct arp/icmp settings, and the 10.10.10.0/24 v-a is created in the tenant partition, also with the correct arp/icmp settings. We no longer have to "manually" manage virtual-address objects for ip-forward virtuals. |
Environment
Summary
Service_Forwarding objects' virtualAddresses are created with arp and icmp-echo enabled. These larger-than-/32 VAs should have those two options disabled. Or there should be some way for us to specify that they should be disabled.
Steps To Reproduce
Steps to reproduce the behavior:
Expected Behavior
The virtual-address objects should be created with arp and icmp-echo disabled. Such is the case when you manually enter (tmsh)
create ltm virtual test destination 10.10.10.0:0 ip-forward mask 255.255.255.0 source 0.0.0.0/0 vlans add { outside } vlans-enabled
The text was updated successfully, but these errors were encountered: