External VS and internal pool members port 80 issue

Question

Hello Community,

I hope this is the correct forum. I'm a currently have an issue with setting up an external VS to connect to an internal node member.

ex)

VS xyz (external f5/outside the firewall over port 80) <--> pool xyz (port 80) <--> members (internal pool member/node/inside the firewall with port 80 open)

If you make a request to a txt file from port 80 VS to a internal member/node over port 80, it fails.

NOTE: Tried this with port translation off/on and got the same results.

If you make a request to a txt file from port 80 VS to a internal member/node over port 8080, it successful.

NOTE: Works with port translation turned on.

URL: http://wwwqaddev.qad.com/servername.txt

Any ideas on why this would happen?

Thanks!

Regards,

TRX

hamish · Answer

From that description I would suggest that either the pool members are really listening on port 8080, and not port 80 aft all, or there is a firewall (or other nat device) doing port translation between them...

michael_yates · Answer

Do you have SNAT Automap Enabled (on VS xyz)? 
&nbsp;  
&nbsp; If the target (Internal Server) does not reside (have an IP Address owned by the BIG-IP) then you will need to enable SNAT.

trx · Answer

Let me get back to you on my results.  
&nbsp;  
&nbsp; Thanks. 
&nbsp;  
&nbsp; Regards, 
&nbsp; TRX

trx · Answer

Hello ,

The IP of target internal server is NOT on the external f5. SNAT is enabled, address translation, and port translation is enabled.

I've tried it with snat disabled and port translation disabled, but the issue is still exist. Not sure what to try next. The problem seems to have trouble connecting from the same port from the external f5 to the same server port (on the internal f5 or direct on the internal server).

Any more ideas or things to try?

Regards,

TRX

hooleylist · Answer

Like Hamish suggested, it seems like something after the DMZ LTM is doing port translation.  You can use tcpdump to verify LTM is sending the request to the pool members on port 80 and then use tcpdump on the internal LTM to see if the request is making it there.  If see packets leaving the external LTM but not arriving on the internal LTM, it's probably something in between blocking it. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

External VS and internal pool members port 80 issue

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Create isolated environment for internal and external networks

CSV to Address External Datagroup File

DevCentral's Featured Member for February - Edouard Zorrilla

DevCentral's Featured Member for April - Mihai Cziraki

DevCentral's Featured Member for March - Thomas Dahlmann

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS