Forum Discussion

ahadem's avatar
ahadem
Icon for Nimbostratus rankNimbostratus
May 13, 2024

F5 not sending traffic to Web pool

Hello All,   I am having issues with a new configured F5 big-IP that everything works fine as follows.   traffic from the client is coming to the firewall which is then natted to the private net...
announcement
application delivery
cloud
devops
event
ahadem's avatar
ahadem
Icon for Nimbostratus rankNimbostratus
May 13, 2024

I captured the tcpdump packet and analyzed it, the request is coming from the client and three-way handshake is done between the client and the F5 but after nothing happens and when I look into the pool statistics nothing is there and it's all zero. 

 

have captured packets multiple times and checked packet by packet and the connection is RST at last. 

 

apm oauth db-instance /Common/oauthdb {
    description "Default OAuth DB."
}
apm policy customization-source /Common/modern { }
apm policy customization-source /Common/standard { }
apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}
ilx global-settings {
    debug-port-blacklist { 47019 54321 60000 }
}
ltm default-node-monitor {
    rule none
}
ltm node /Common/f5STGWEB01 {
    address 10.10.10.15
    monitor /Common/https_443
}
ltm node /Common/web1 {
    address 10.10.10.21
    monitor /Common/https_443
}
ltm pool /Common/webpool {
    members {
        /Common/f5STGWEB01:443 {
            address 10.10.10.15
        }
        /Common/web1:443 {
            address 10.10.10.21
        }
    }
    monitor /Common/https and /Common/https_443
}
ltm snat-translation /Common/192.168.1.41 {
    address 192.168.1.41
    inherited-traffic-group true
    traffic-group /Common/traffic-group-1
}
ltm snatpool /Common/snatpool1 {
    members {
        /Common/192.168.1.41
    }
}
ltm virtual /Common/virtualserver1 {
    creation-time 2024-04-30:17:02:17
    description "virtual server is the load balancer server"
    destination /Common/192.168.1.41:443
    ip-protocol tcp
    last-modified-time 2024-05-08:17:01:47
    mask 255.255.255.255
    pool /Common/webpool
    profiles {
        /Common/F5SANCert {
            context clientside
        }
        /Common/serverssl {
            context serverside
        }
        /Common/tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual-address /Common/192.168.1.41 {
    address 192.168.1.41
    arp enabled
    icmp-echo enabled
    mask 255.255.255.255
    traffic-group /Common/traffic-group-local-only
}
ltm profile client-ssl /Common/F5SANCert {
    app-service none
    cert-key-chain {
        f5-F5-With-SAN_SANChainCert_0 {
            cert /Common/f5-F5-With-SAN
            chain /Common/SANChainCert
            key /Common/f5-F5-With-SAN
        }
    }
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    options { dont-insert-empty-fragments no-tlsv1.3 no-tlsv1.1 no-sslv3 no-tlsv1 }
}
ltm profile client-ssl /Common/F5f5 {
    app-service none
    cert-key-chain {
        f5-F5-certificate_F5f5Chain_0 {
            cert /Common/f5-F5-certificate
            chain /Common/F5f5Chain
            key /Common/f5-F5-certificate
        }
    }
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
}
ltm profile client-ssl /Common/clientssl {
    alert-timeout indefinite
    allow-dynamic-record-sizing disabled
    allow-expired-crl disabled
    allow-non-ssl disabled
    app-service none
    authenticate once
    authenticate-depth 9
    bypass-on-client-cert-fail disabled
    bypass-on-handshake-alert disabled
    c3d-client-fallback-cert none
    c3d-drop-unknown-ocsp-status drop
    c3d-ocsp none
    ca-file none
    cache-size 262144
    cache-timeout 3600
    cert /Common/default.crt
    cert-extension-includes { basic-constraints subject-alternative-name }
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cert-lifespan 30
    cert-lookup-by-ipaddr-port disabled
    chain none
    cipher-group none
    ciphers DEFAULT
    client-cert-ca none
    crl none
    crl-file none
    data-0rtt disabled
    generic-alert enabled
    handshake-timeout 10
    inherit-ca-certkeychain false
    inherit-certkeychain false
    key /Common/default.key
    max-active-handshakes indefinite
    max-aggregate-renegotiation-per-minute indefinite
    max-renegotiations-per-minute 5
    maximum-record-size 16384
    mod-ssl-methods disabled
    mode enabled
    notify-cert-status-to-virtual-server disabled
    ocsp-stapling disabled
    options { dont-insert-empty-fragments no-tlsv1.3 }
    passphrase none
    peer-cert-mode ignore
    peer-no-renegotiate-timeout 10
    proxy-ssl disabled
    proxy-ssl-passthrough disabled
    renegotiate-max-record-delay indefinite
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    retain-certificate true
    secure-renegotiation require
    server-name none
    session-mirroring disabled
    session-ticket disabled
    session-ticket-timeout 0
    sni-default false
    sni-require false
    ssl-c3d disabled
    ssl-forward-proxy disabled
    ssl-forward-proxy-bypass disabled
    ssl-forward-proxy-verified-handshake disabled
    ssl-sign-hash any
    strict-resume disabled
    unclean-shutdown enabled
}
ltm profile client-ssl /Common/mynewcertificate {
    alert-timeout indefinite
    allow-dynamic-record-sizing disabled
    allow-non-ssl disabled
    app-service none
    cache-size 262144
    cache-timeout 3600
    cert-key-chain {
        MyCertificate_0 {
            cert /Common/MyCertificate
            key /Common/MyCertificate
        }
    }
    cipher-group none
    ciphers DEFAULT
    data-0rtt disabled
    defaults-from /Common/clientssl
    generic-alert enabled
    handshake-timeout 10
    inherit-ca-certkeychain true
    inherit-certkeychain false
    max-active-handshakes indefinite
    max-aggregate-renegotiation-per-minute indefinite
    max-renegotiations-per-minute 5
    maximum-record-size 16384
    mod-ssl-methods disabled
    mode enabled
    notify-cert-status-to-virtual-server disabled
    ocsp-stapling disabled
    options { dont-insert-empty-fragments no-tlsv1.3 }
    peer-no-renegotiate-timeout 10
    proxy-ssl disabled
    proxy-ssl-passthrough disabled
    renegotiate-max-record-delay indefinite
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    secure-renegotiation require
    server-name none
    session-mirroring disabled
    session-ticket disabled
    session-ticket-timeout 0
    sni-default false
    sni-require false
    ssl-sign-hash any
    strict-resume disabled
    unclean-shutdown enabled
}
ltm profile server-ssl /Common/do-not-remove-without-replacement {
    app-service none
}
net dns-resolver /Common/f5-aws-dns {
    forward-zones {
        amazonaws.com {
            nameservers {
                8.8.8.8:53 { }
            }
        }
        idservice.net {
            nameservers {
                8.8.8.8:53 { }
            }
        }
        shpapi.com {
            nameservers {
                8.8.8.8:53 { }
            }
        }
    }
    route-domain /Common/0
}
net dns-resolver /Common/internaldns {
    forward-zones {
        dns {
            nameservers {
                192.168.1.11:53 { }
                192.168.1.12:53 { }
            }
        }
    }
    route-domain /Common/0
}
net route /Common/default {
    gw 192.168.1.1
    mtu 1500
    network default
}