Forum Discussion
NimbostratusF5 ASM AWS backend sending connection reset.
I deployed a couple of F5 WAF in AWS in HA, the backend fails to load on the browser (reset), tcpdump shows we can get to the virtual server, and the curl can reach the web server from the LTM.
The deployment contain these IP addresses setup:
————————————————————
[external subnet]
Self IP Address (priv)
external_floating (s.priv)
——————————————
[mgmt subnet]
Mgmt Interfaces:Private IP
EIP
——————————————————
[internal subnet]
SelfIP(Internal sync)
Internal Floating
—————————————————————
[virtual server]
EIP(Associate)
Virtual Server(s.priv)
Pool
—————————————————————————
The routing table & security group rules are all set and an Elastic IP has been associated with the secondary private address. Any ideas would be appreciated.
22 Replies
Yann_DesmarestCirrus
Hi,
Did you set the snat setting to automap on the VS ?
You can log tcp reset reason in the ltm log file. Here is the link to askf5: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
The tmsh command to activate logging:
modify /sys db tm.rstcause.log value enable
Jeremy_18125Thanks, Source Address Translation is set to automap, and all monitors are green. Software version is 12.0 This looks puzzling, also the LTM log shows RST sent from virtual server IP to browser, [0x2019dac:3657] No route to host ------------------------------- tmsh show /net rst-cause --------------------------------- TCP/IP Reset Cause RST Cause: Count --------------------------------- Flow expired (sweeper) 202 HA disconnect 4 No local listener 465 No pool member available 14 No route to host 819 No server selected 39 TCP 3WHS rejected 34 TCP RST from remote system 4 ------------------------ No route to host & No pool member available could have something to do with the pool subnet being different to the internal subnet, maybe.- Yann_DesmarestHi, you need to identify precisely the cause. In general, i run a tailf /var/log/ltm in the same time of my test
- Yann_DesmarestWhen using curl command on the bigip, the source addr is the selfip, but connecting to the app through the vs force the source addr to the floating.
Yann_Desmarest_Nacreous
Hi,
Did you set the snat setting to automap on the VS ?
You can log tcp reset reason in the ltm log file. Here is the link to askf5: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
The tmsh command to activate logging:
modify /sys db tm.rstcause.log value enable- Jeremy_18125Thanks, Source Address Translation is set to automap, and all monitors are green. Software version is 12.0 This looks puzzling, also the LTM log shows RST sent from virtual server IP to browser, [0x2019dac:3657] No route to host ------------------------------- tmsh show /net rst-cause --------------------------------- TCP/IP Reset Cause RST Cause: Count --------------------------------- Flow expired (sweeper) 202 HA disconnect 4 No local listener 465 No pool member available 14 No route to host 819 No server selected 39 TCP 3WHS rejected 34 TCP RST from remote system 4 ------------------------ No route to host & No pool member available could have something to do with the pool subnet being different to the internal subnet, maybe.
- Yann_Desmarest_Hi, you need to identify precisely the cause. In general, i run a tailf /var/log/ltm in the same time of my test
- Yann_Desmarest_When using curl command on the bigip, the source addr is the selfip, but connecting to the app through the vs force the source addr to the floating.
- Yann_Desmarest
Hi Jeremy,
Below an irule example I developed in 2014 to achieve the same feature as fqdn nodes :
when HTTP_REQUEST { set host "www.myhostname.com" HTTP::collect resolv hostname NAME::lookup @x.x.x.x $host } when NAME_RESOLVED { set remoteip [lindex [NAME::response] 0] if { $remoteip != "" } { node $remoteip 80 } else { log local0. "Hostname resolution failed !!!" } HTTP::release } when LB_FAILED { log local0. "Selected server [LB::server] did not respond." } 
AsoThis Thread basically saved me from days of headaches.
I was going crazy over it, I had the same 2 VPC peering setup and 3-NIC F5 from https://clouddocs.f5.com/cloud/public/v1/aws/AWS_multiNIC.html.
Adding this route wasn't mentioned anywhere and I couldn't get to it myself. Thank you guys from 5 years ago, hope you're doing well.
