Forum Discussion

trx's avatar
Jul 07, 2011

External VS and internal pool members port 80 issue

Hello Community,

I hope this is the correct forum. I'm a currently have an issue with setting up an external VS to connect to an internal node member.

 

 

 

ex)

 

 

 

VS xyz (external f5/outside the firewall over port 80) <--> pool xyz (port 80) <--> members (internal pool member/node/inside the firewall with port 80 open)

 

 

 

 

 

If you make a request to a txt file from port 80 VS to a internal member/node over port 80, it fails.

 

NOTE: Tried this with port translation off/on and got the same results.

 

 

 

If you make a request to a txt file from port 80 VS to a internal member/node over port 8080, it successful.

 

NOTE: Works with port translation turned on.

 

 

 

URL: http://wwwqaddev.qad.com/servername.txt

 

 

 

Any ideas on why this would happen?

 

 

 

Thanks!

 

 

 

Regards,

 

TRX

 

 

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    From that description I would suggest that either the pool members are really listening on port 8080, and not port 80 aft all, or there is a firewall (or other nat device) doing port translation between them...
  • Do you have SNAT Automap Enabled (on VS xyz)?

     

     

    If the target (Internal Server) does not reside (have an IP Address owned by the BIG-IP) then you will need to enable SNAT.
  • Let me get back to you on my results.

     

     

    Thanks.

     

     

    Regards,

     

    TRX
  • Hello ,

    The IP of target internal server is NOT on the external f5. SNAT is enabled, address translation, and port translation is enabled.

     

    I've tried it with snat disabled and port translation disabled, but the issue is still exist. Not sure what to try next. The problem seems to have trouble connecting from the same port from the external f5 to the same server port (on the internal f5 or direct on the internal server).

     

     

     

    Any more ideas or things to try?

     

     

     

    Regards,

     

    TRX

     

  • Like Hamish suggested, it seems like something after the DMZ LTM is doing port translation. You can use tcpdump to verify LTM is sending the request to the pool members on port 80 and then use tcpdump on the internal LTM to see if the request is making it there. If see packets leaving the external LTM but not arriving on the internal LTM, it's probably something in between blocking it.

     

     

    Aaron
  • Thanks. The firewall was blocking the external f5 ip. Issue is now resolved.

     

     

    Regards,

     

    TRX