Bug ID 528684: Guest cannot ping any management IP on the local host system when guest-to-host communication is enabled

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP vCMP(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Fixed In:
13.0.0

Opened: Jun 18, 2015
Severity: 3-Major

Symptoms

When guest-to-host communication is enabled by setting the "vcmp.mgmt.allow_host_guest_communication" to "true", a guest VM is unable to ping any management IP residing on the local host BIG-IP system. Note that SSH to such an IP works. On clustered systems, a guest VM is unable to ping the cluster floating management IP of the local host cluster, if the local host blade is the primary blade of the host cluster. However, the guest VM is able to ping the cluster member management IP of non-local host blades and the cluster floating management IP, if a non-local host blade is the primary blade of the host cluster.

Impact

The user may mistakenly believe that, since they are unable to ping a management IP residing on the local host BIG-IP system, that they are also unable to SSH to that IP.

Conditions

A guest VM attempts to ping a management IP that resides on the local host BIG-IP system.

Workaround

Note that a guest VM is still able to SSH to a management IP residing on the local host BIG-IP system, even if pinging that IP does not work. If pinging of such an IP is desirable from a guest VM whose host BIG-IP system does not include the fix for this issue, then the following commands can be run on the host BIG-IP system as the 'root' user to make pinging the IP work: # iptables -I vcmp_mgmt 2 -p icmp -j ACCEPT # iptables-save > /etc/sysconfig/iptables Note: On clustered host BIG-IP systems, these commands should be run on every blade. Note: These commands will result in pings working across reboots, but an upgrade will reset the saved iptables rules and thus result in pings not working once more, unless the host BIG-IP system is being upgraded to a version that includes the fix for this issue.

Fix Information

Guest VMs are now able to ping any management IP residing on the local host BIG-IP system.

Behavior Change