Forum Discussion
"Connection Reset" with Standard Virtual Server
Hello,
I am seeing "ERR_EMPTY_RESPONSE" errors with a "Standard" virtual server, but not with a "Performance (HTTP)" virtual server. I would like to use an "Access Policy" to require SAML Authentication, which appears to only be supported with a "Standard" virtual server". I am using SNAT with Auto Map. My problem seems similar to this issue. Any tips on what I should be looking at?
Notes:
I am using BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3
I've disabled HTTPS on my backend and frontend server to help diagnose the issue.
I've tried the normal TCP and HTTP Profile. I also cloned them and made the header sizes larger for the HTTP profile, to no avail.
I do not have any iRules configured.
I have enabled SSO (SSO authentication works fine, but after authenticating I still see an empty response from the backend).
I've taken a PCAP on the backend server and, in analyzing the PCAP, it appears that the request F5 initiates to my backend server is a malformed HTTP request (see the GET / below which doesn't appear to be encapsulated in an HTTP segment). The backend returns a "400" and the client receives ERR_EMPTY_RESPONSE.
other notes:
Confirmed that I have Self IPs under Network > Self IPs
Confirmed that I have enabled SNAT IPs.
HTTP Profile is the standard HTTP Profile. SSL Profile (Which I think shouldn't matter, since this is all HTTP) is (client|server)ssl-insecure-compatible
VLAN and Tunnel Traffic is set to "all VLANs and Tunnels"
Source Address Translation is set to "Auto Map"
I have a policy to rewrite the Host header, but I still have the problem whether it is attached or detached from the Virtual Server.
My pools and nodes are marked as healthy.
First, I would use auto map and instead I would setup a SNAT pool with the virtual server IP in question and use that as the SNAT pool in order to avoid possible issues with high connections. Second, what happens when you follow the tcp stream on that 400 bad request? Are you sure the client isn't making the request? You might be able to follow the ephemeral port for the request to the pool member because typically the
F5 attempts to use the same ephemeral port that the client uses when SNAT has been enabled.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com