Hi, I know it must be a stupid question, but does anybody know how to activate the access by https and ssh in the internal self ip?? Thank you in advance!

Hi Marta, You can enable specific ports on the self IP's using the port lockdown settings on each self IP: Specifies the protocols and services from which this self IP can accept traffic. Note that fewer active protocols enhances the security level of the self IP and its associated VLANs. * Allow Default: Activates only the default protocols and services. You can determine the supported protocols and services by running the b self allow list command on the command line. * Allow All: Activates all TCP and UDP services on this self IP. * Allow None: Specifies that this self IP accepts no traffic. If you are using this self IP as the local endpoint for WAN optimization, select this option to avoid potential port conflicts. * Allow Custom: Expands the Custom List option, where you can specify the protocols and services to activate on this self IP. Aaron

You can run tcpdump on LTM to see what's happening: tcpdump -nni 0.0 host SELF_IP Then try establishing an SSH and/or HTTPS connection with the self IP in the tcpdump command. If the request makes it to LTM, then you can look at any IP/port restrictions that might be configured in packet filters or the daemons themselves. Aaron

Hi Aaron! this is what appears with the tcpdump: (I do not see anything which can give me a clue about what it's happening.) I hope you can help me [root@bigip01:Standby] config tcpdump -nni 0.0 host 172.28.100.250 | grep 172.28.108.17 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 10:14:14.212251 IP 172.28.108.17.49942 > 172.28.100.250.443: S 3264292511:3264292511(0) win 8192 10:14:17.206501 IP 172.28.108.17.49942 > 172.28.100.250.443: S 3264292511:3264292511(0) win 8192 10:14:23.205966 IP 172.28.108.17.49942 > 172.28.100.250.443: S 3264292511:3264292511(0) win 8192 10:14:54.700369 IP 172.28.108.17.49960 > 172.28.100.250.22: S 370168781:370168781(0) win 8192 10:14:57.700537 IP 172.28.108.17.49960 > 172.28.100.250.22: S 370168781:370168781(0) win 8192 10:15:03.700099 IP 172.28.108.17.49960 > 172.28.100.250.22: S 370168781:370168781(0) win 8192 1319 packets captured 1319 packets received by filter 0 packets dropped by kernel Thank you!

Hello Marta, the pcap shows SYN traffic from 172.28.108.17 to selfip 172.28.100.250 but it looks like the traffic just gets dropped (no SYN, ACK) sent back. Do you have any packet filters configured under Network>Packet Filters that might be dropping the traffic? Packet filter logs would show drops, provided the packet filter rule has logging enabled. Do other Self IP's have the same issue?

Hello Cspillane, No, I haven't any Packet Filters configured and it is disabled. (We are very newbie), and yes, it happens the same on other Self Ip. Moreover, the weird thing is we have configured another LTMs in the same conditions (this is the development LTM), and they work, but I do not understand why not here :-/

Access by https and ssh

25 Replies

Marta_19201
Nimbostratus
Apr 15, 2010
Sorry, Aaron, I have just read your message. I'm going to try and let you know
Marta_19201
Nimbostratus
Apr 15, 2010
To Aaron:

[root@bigipcolt01:Standby] config tcpdump -nni 0.0 host 172.28.100.250 | grep 172.28.108.17

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

15:35:23.271777 IP 172.28.108.17 > 172.28.100.250: ICMP echo request, id 1, seq 2282, length 40

15:35:23.271798 IP 172.28.100.250 > 172.28.108.17: ICMP echo reply, id 1, seq 2282, length 40

15:35:24.272451 IP 172.28.108.17 > 172.28.100.250: ICMP echo request, id 1, seq 2283, length 40

15:35:24.272467 IP 172.28.100.250 > 172.28.108.17: ICMP echo reply, id 1, seq 2283, length 40

15:35:25.272378 IP 172.28.108.17 > 172.28.100.250: ICMP echo request, id 1, seq 2284, length 40

15:35:25.272398 IP 172.28.100.250 > 172.28.108.17: ICMP echo reply, id 1, seq 2284, length 40

15:35:26.272231 IP 172.28.108.17 > 172.28.100.250: ICMP echo request, id 1, seq 2285, length 40

15:35:26.272247 IP 172.28.100.250 > 172.28.108.17: ICMP echo reply, id 1, seq 2285, length 40

15:35:33.593358 IP 172.28.108.17.55467 > 172.28.100.250.443: S 2457874615:2457874615(0) win 8192

15:35:36.601083 IP 172.28.108.17.55467 > 172.28.100.250.443: S 2457874615:2457874615(0) win 8192

15:35:42.599618 IP 172.28.108.17.55467 > 172.28.100.250.443: S 2457874615:2457874615(0) win 8192

Apr 15 15:36:01 local/bigipcolt01 emerg system_check[5738]: 010d0006:0: Chassis power supply 102 is not supplying power (status: 0): make sure it is plugged in.

15:36:00.395239 IP 172.28.108.17.55468 > 172.28.100.250.22: S 1090008551:1090008551(0) win 8192

15:36:03.396809 IP 172.28.108.17.55468 > 172.28.100.250.22: S 1090008551:1090008551(0) win 8192

15:36:09.394335 IP 172.28.108.17.55468 > 172.28.100.250.22: S 1090008551:1090008551(0) win 8192

1222 packets captured

1222 packets received by filter

0 packets dropped by kernel
Marta_19201
Nimbostratus
Apr 15, 2010
To Cspillane:

[root@bigipcolt01:Standby] config bigstart status httpd

httpd (pid 2978) is running...

[root@bigipcolt01:Standby] config bigstart status sshd

openssh-daemon (pid 2935) is running...

[root@bigipcolt01:Standby] config bigstart status tomcat

tomcat run (pid 3201) 6 minutes
hoolio
Cirrostratus
Apr 15, 2010
Can you try connecting to the admin GUI from the command line using"

curl -k https://172.28.100.250

Aaron
Marta_19201
Nimbostratus
Apr 15, 2010
Yes, it works from the LTM command line, and it seems it returns the html page.

For your information, when I try to do a telnet 172.28.100.250 443 from the LTM command line, I see that the port is open, but I don't get any response from my client navigator!
hoolio
Cirrostratus
Apr 15, 2010
Do 'bigpipe httpd allow' and 'bigpipe sshd allow' show ALL hosts allowed?

Aaron
Marta_19201
Nimbostratus
Apr 15, 2010
yes....

[root@bigipcolt01:Standby] config bigpipe httpd allow

HTTPD - HTTPD Allow:

All

[root@bigipcolt01:Standby] config bigpipe sshd allow

SSHD - SSH IP Allow List:

ALL
Cspillane_18296
Nimbostratus
Apr 15, 2010
The LTM shouldn't respond to telnet, it'll only use secure (encrypted) methods like SSH or HTTPS.
Marta_19201
Nimbostratus
Apr 15, 2010
Of course, but I'm telnetting port 443 and 22, not default 23
Cspillane_18296
Nimbostratus
Apr 15, 2010
Apologies Marta, I misunderstood your previous statement.

I must say this appears to be an odd situation, I've never come across one quite like this before!

Forum Discussion

Access by https and ssh

25 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

F5 HTTPS Redirect 2025

HTTP Event Order -- Access Policy Manager

HTTP Basic Access Authentication iRule Style

Zero Trust Application Access for Federal Agencies

The State Of HTTP/2 With F5 LTM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS