Communications problems between servers

if hitting that external service for servers 1/2, it will always fail the three way handshake. You'll need to add an iRule that will snat the requests from server 5

when CLIENT_ACCEPTED {
  if { [IP::client_addr] eq "192.168.1.5" } {
    snat automap
  }
}

ok, I see

but, what we cannot understand is why the F5 don´t send the connection from server C to server A; then we have the problem with the asymetric traffic, I see, but what about the other situation?

Thanks for you help !!!!

Here you have the tcpdump -i 0.0 -nn host 192.168.1.1 or host 192.168.1.2 or host 192.168.1.5

10:20:39.195038 IP 93.156.17.228.2849 > 192.168.1.1.80: . ack 188182 win 0 10:20:39.207820 IP 93.188.138.1.12220 > 192.168.1.1.80: F 971:971(0) ack 17492 win 21870 10:20:39.208058 IP 192.168.1.1.80 > 93.188.138.1.12220: . ack 972 win 65535 10:20:39.210249 IP 93.188.138.1.3746 > 192.168.1.1.80: F 961:961(0) ack 8166 win 12544 10:20:39.210477 IP 192.168.1.1.80 > 93.188.138.1.3746: . ack 962 win 65535 10:20:39.210008 IP 217.124.183.213.1059 > 192.168.1.1.80: F 913:913(0) ack 149246 win 8975 10:20:39.210298 IP 192.168.1.1.80 > 217.124.183.213.1059: . ack 914 win 65535 10:20:39.211825 IP 195.140.156.30.61143 > 192.168.1.2.80: F 0:0(0) ack 130226 win 7584 10:20:39.212118 IP 192.168.1.2.80 > 195.140.156.30.61143: . ack 1 win 65535 10:20:39.222534 IP 2.139.196.44.2001 > 192.168.1.1.80: F 1758:1758(0) ack 123780 win 10654 10:20:39.222752 IP 192.168.1.1.80 > 2.139.196.44.2001: . ack 1759 win 65535 10:20:39.239947 IP 192.168.1.5.4573 > 192.168.3.2.80: S 3718962388:3718962388(0) win 65535 10:20:39.242534 IP 80.58.250.73.47616 > 192.168.1.2.80: P 661:1437(776) ack 666 win 5045 10:20:39.249142 IP 81.45.204.51.55400 > 192.168.1.1.80: F 1444:1444(0) ack 24255 win 28633 10:20:39.249374 IP 192.168.1.1.80 > 81.45.204.51.55400: . ack 1445 win 65535 10:20:39.253031 IP 213.171.250.218.1636 > 192.168.1.1.80: S 3671972990:3671972990(0) win 4380 10:20:39.253352 IP 192.168.1.1.80 > 213.171.250.218.1636: S 3505202870:3505202870(0) ack 3671972991 win 65535 10:20:39.253358 IP 213.171.250.218.1636 > 192.168.1.1.80: . ack 1 win 4380 10:20:39.253365 IP 213.171.250.218.1636 > 192.168.1.1.80: P 1:684(683) ack 1 win 4380 10:20:39.254048 IP 192.168.1.1.80 > 213.171.250.218.1636: P 1:358(357) ack 684 win 65535 10:20:39.254065 IP 213.171.250.218.1636 > 192.168.1.1.80: . ack 358 win 4737 10:20:39.254144 IP 192.168.1.1.80 > 213.171.250.218.1636: . 358:1818(1460) ack 684 win 65535 10:20:39.254147 IP 192.168.1.1.80 > 213.171.250.218.1636: . 1818:3278(1460) ack 684 win 65535 10:20:39.254164 IP 213.171.250.218.1636 > 192.168.1.1.80: . ack 3278 win 7657 10:20:39.254318 IP 192.168.1.1.80 > 213.171.250.218.1636: . 3278:4738(1460) ack 684 win 65535 10:20:39.255473 IP 192.168.1.1.80 > 213.171.250.218.1636: P 4738:5273(535) ack 684 win 65535 10:20:39.255491 IP 213.171.250.218.1636 > 192.168.1.1.80: . ack 5273 win 9652 10:20:39.257819 IP 66.249.78.166.54106 > 192.168.1.2.80: P 420:712(292) ack 8776 win 13155 10:20:39.262860 IP 192.168.1.2.80 > 66.249.78.166.54106: . 8776:10236(1460) ack 712 win 65535 10:20:39.262868 IP 192.168.1.2.80 > 66.249.78.166.54106: . 10236:11696(1460) ack 712 win 65535 10:20:39.262871 IP 192.168.1.2.80 > 66.249.78.166.54106: . 11696:13156(1460) ack 712 win 65535 10:20:39.262873 IP 192.168.1.2.80 > 66.249.78.166.54106: P 13156:13497(341) ack 712 win 65535 10:20:39.262875 IP 192.168.1.2.80 > 66.249.78.166.54106: F 13497:13497(0) ack 712 win 65535 10:20:39.262931 IP 66.249.78.166.54106 > 192.168.1.2.80: . ack 10236 win 14615 10:20:39.262948 IP 66.249.78.166.54106 > 192.168.1.2.80: . ack 13156 win 17535 10:20:39.262954 IP 66.249.78.166.54106 > 192.168.1.2.80: . ack 13497 win 17876 10:20:39.262967 IP 66.249.78.166.54106 > 192.168.1.2.80: . ack 13498 win 17876 10:20:39.274441 IP 213.171.250.218.1636 > 192.168.1.1.80: P 684:1654(970) ack 5273 win 9652 10:20:39.273755 IP 193.148.159.169.56747 > 192.168.1.2.80: P 6056:7025(969) ack 15868 win 20247 10:20:39.275403 IP 80.58.250.73.7236 > 192.168.1.2.80: S 364874458:364874458(0) win 4380 10:20:39.275578 IP 93.188.138.1.26678 > 192.168.1.1.80: S 96584965:96584965(0) win 4380 10:20:39.275698 IP 192.168.1.2.80 > 80.58.250.73.7236: S 2940528118:2940528118(0) ack 364874459 win 65535 10:20:39.275707 IP 80.58.250.73.7236 > 192.168.1.2.80: . ack 1 win 4380 10:20:39.275714 IP 80.58.250.73.7236 > 192.168.1.2.80: P 1:737(736) ack 1 win 4380 10:20:39.275829 IP 192.168.1.1.80 > 93.188.138.1.26678: S 324499776:324499776(0) ack 96584966 win 65535 10:20:39.275836 IP 93.188.138.1.26678 > 192.168.1.1.80: . ack 1 win 4380 10:20:39.275843 IP 93.188.138.1.26678 > 192.168.1.1.80: P 1:980(979) ack 1 win 4380 10:20:39.279086 IP 93.188.138.1.11678 > 192.168.1.2.80: S 1746928452:1746928452(0) win 4380 10:20:39.279277 IP 192.168.1.2.80 > 93.188.138.1.11678: S 3170556177:3170556177(0) ack 1746928453 win 65535 10:20:39.279285 IP 93.188.138.1.11678 > 192.168.1.2.80: . ack 1 win 4380 10:20:39.279295 IP 93.188.138.1.11678 > 192.168.1.2.80: P 1:966(965) ack 1 win 4380 10:20:39.281460 IP 2.139.196.44.2002 > 192.168.1.1.80: F 1777:1777(0) ack 98293 win 11209 10:20:39.281662 IP 192.168.1.1.80 > 2.139.196.44.2002: . ack 1778 win 65535 10:20:42.165678 IP 192.168.1.2.80 > 95.22.57.193.49620: . 252375:253835(1460) ack 4897 win 65535 10:20:42.167050 IP 95.22.57.193.49620 > 192.168.1.2.80: . ack 293255 win 4380 10:20:42.167221 IP 192.168.1.2.80 > 95.22.57.193.49620: . 294715:296175(1460) ack 4897 win 65535 10:20:42.167224 IP 192.168.1.2.80 > 95.22.57.193.49620: . 296175:297635(1460) ack 4897 win 65535 10:20:42.167230 IP 95.22.57.193.49620 > 192.168.1.2.80: . ack 296175 win 1460 10:20:42.167964 IP 192.168.1.1.80 > 81.45.204.51.55421: P 33409:33734(325) ack 3646 win 65535 10:20:42.167977 IP 81.45.204.51.55421 > 192.168.1.1.80: . ack 33734 win 38113 10:20:42.168185 IP 192.168.1.1.80 > 81.45.204.51.55421: P 33734:33748(14) ack 3646 win 65535 10:20:42.168188 IP 192.168.1.1.80 > 81.45.204.51.55421: P 33748:33803(55) ack 3646 win 65535 10:20:42.168194 IP 81.45.204.51.55421 > 192.168.1.1.80: . ack 33748 win 38127 10:20:42.168200 IP 81.45.204.51.55421 > 192.168.1.1.80: . ack 33803 win 38182 10:20:42.168843 IP 192.168.1.5.4573 > 192.168.3.2.80: S 3718962388:3718962388(0) win 65535 10:20:42.170104 IP 192.168.1.2.80 > 95.22.57.193.49615: P 10194:10868(674) ack 1638 win 65535 10:20:42.170107 IP 192.168.1.2.80 > 95.22.57.193.49615: P 10868:10888(20) ack 1638 win 65535 10:20:42.170136 IP 95.22.57.193.49615 > 192.168.1.2.80: . ack 10868 win 15247 10:20:42.170153 IP 95.22.57.193.49615 > 192.168.1.2.80: . ack 10888 win 15267 10:20:42.170510 IP 83.35.186.235.1810 > 192.168.1.1.80: P 811:1613(802) ack 275 win 4654 10:20:42.171412 IP 192.168.1.1.80 > 212.49.167.45.19535: P 176188:176777(589) ack 11994 win 65535 10:20:42.171415 IP 192.168.1.1.80 > 212.49.167.45.19535: P 176777:176799(22) ack 11994 win 65535 10:20:42.171425 IP 212.49.167.45.19535 > 192.168.1.1.80: . ack 176777 win 65535 10:20:42.171432 IP 212.49.167.45.19535 > 192.168.1.1.80: . ack 176799 win 65535 10:20:42.172606 IP 192.168.1.1.80 > 83.35.186.235.1810: . 275:1735(1460) ack 1613 win 65535

yeah that is just odd, but hard to guess what it might be from here. you are sure the virtual server listens to that vlan or all vlans? there is no packetfilter configured on the F5?

can you setup a test virtual server that access something on the front of F5 and see if you can get that working?

Yes, i'm sure. You can see that for example traffic from internet to 192.168.3.2 can reach ser ver A os B, so from VS can reach this vlan.

We'll try what you say and let you know. Thanks

what do you need from our config? I can post/send you whatever you need

what do you need from our config? I can post/send you whatever you need

may you post the virtual server and pool configuration?

 tmsh list ltm virtual (name)
 tmsh list ltm pool (name)

Here you have:

[admin@ITX196009BDMZ:Active] ~ tmsh list ltm virtual owsssfo_HTTP ltm virtual owsssfo_HTTP { destination 192.168.3.2:http ip-protocol tcp mask 255.255.255.255 pool owsssfo_HTTP profiles { HTTP_OPV { } tcp { } } rules { CT_ASEI } snat automap vlans { external } vlans-enabled } [admin@ITX196009BDMZ:Active] ~

ltm virtual owsssfo_HTTPS { destination 192.168.3.2:https ip-protocol tcp mask 255.255.255.255 pool owsssfo_HTTPS profiles { tcp { } } rules { CT_HTTPS } snat automap vlans { external } vlans-enabled } [admin@ITX196009BDMZ:Active] ~

[admin@ITX196009BDMZ:Active] ~ tmsh list ltm pool owsssfo_HTTP ltm pool owsssfo_HTTP { members { pxz331:http { address 192.168.1.1 session monitor-enabled state up } pxz332:http { address 192.168.1.3 session monitor-enabled state up } } monitor owsssfo_HTTP } [admin@ITX196009BDMZ:Active] ~ tmsh list ltm pool owsssfo_HTTPS ltm pool owsssfo_HTTPS { members { pxz331:https { address 192.168.1.1 session monitor-enabled state up } pxz332:https { address 192.168.1.3 session monitor-enabled state up } } monitor owsssfo_HTTPS } [admin@ITX196009BDMZ:Active] ~

vlans { external } vlans-enabled

can you also enable the virtual server on internal vlan (192.168.1.x)?

how can I do that?

how can I do that?

there is "vlan and tunnel traffic" setting under virtual server configuration.