Forum Discussion

alex_a's avatar
alex_a
Icon for Nimbostratus rankNimbostratus
Jun 04, 2022

F5 VS PR_CONNECT_RESET_ERROR

Hello everyone,

 

Its been a while since I worked with F5s (7 years) and currently just getting back into.

Im setting up a POC for some testing.

I want to use the F5 as a half-proxy so the backend nodes can keep the firewall as default gateway, so a reverse-proxy setup.

I have one external VLAN with a VS and my nodes are also on the same network as the external VLAN.

Health checks pass everything is green. When trying to connect via browser I get:

PR_CONNECT_RESET_ERROR

Via curl its:

curl: (56) TCP connection reset by peer

Nothing at all is logged in /var/log/ltm (all log levels on info).

I enabled RST loggin in ltm log and all I see is this:

Jun 4 08:38:07 F5-BIGIP-17-LTM-01.tpcolo.local err tmm1[16953]: 01230140:3: RST sent from 10.14.58.83:443 to 10.14.58.110:33630, [0x2f81c25:1038] RST from BIG-IP internal Linux host
Jun 4 08:38:10 F5-BIGIP-17-LTM-01.tpcolo.local err tmm1[16953]: 01230140:3: RST sent from 10.14.58.82:443 to 10.14.58.110:46176, [0x2f81c25:1038] RST from BIG-IP internal Linux host

10.14.58.82/10.14.58.83 are my nodes

10.14.58.110 is the BIGIP address in that VLAN.

Also when the reset happens this is logged:

Jun 4 08:38:11 F5-BIGIP-17-LTM-01.tpcolo.local err tmm[16953]: 01230140:3: RST sent from 10.14.58.112:46728 to 10.14.58.220:443, [0x2f7b6f9:14638] TCP retransmit timeout
Jun 4 08:38:11 F5-BIGIP-17-LTM-01.tpcolo.local err tmm[16953]: 01230140:3: RST sent from 10.14.58.220:443 to 10.10.47.91:46728, [0x2f7b6f9:14638] {peer} TCP retransmit timeout

10.14.58.112 is the BIGIP floating IP in that VLAN

10.14.58.220 is the VS

10.10.47.91 is the client Im testing the CURL from.

VS config below:

ltm virtual HTTPS-GLSTG1 {
creation-time 2022-06-03:07:25:25
description "HTTPS VIP"
destination 10.14.58.220:https
fallback-persistence source_addr
ip-protocol tcp
last-modified-time 2022-06-04:08:34:09
mask 255.255.255.255
persist {
hash {
default yes
}
}
pool STG-TDC-WEB2
profiles {
client-star_domain_com {
context clientside
}
dos { }
http { }
http_security { }
serverssl-insecure-compatible {
context serverside
}
tcp { }
}
rules {
sni-insert
}
serverssl-use-sni enabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vs-index 7
}

 

Any help would be much appreciated.

Thank you,

Alex

  • What do you mean half-proxy? With F5 SNAT automap there shouldn'r be no issue the firewall to be the default gateway but for some reason you have translate-address disabled and translate-port disabled ? Better read this https://support.f5.com/csp/article/K79443053 as if you are talking about asymetric routing https://support.f5.com/csp/article/K13558 then you will need to fix your TCP profiles.

     

     

    About the RST the first RST seem to be normal and matching https://support.f5.com/csp/article/K95191209 but the second ones "TCP retransmit timeout" as described in https://support.f5.com/csp/article/K13223 seem to me to be caused by the server pool member as F5 is sending the traffic to them without translating the destination ip address and port to the ones that the server has.

     

    I really don't get what are you trying to do as your setup is strange and it is like you are playing in a lab. It is like you are trying to do layer2/3 Virtual server setup but without having your servers share the F5 VS ip address and F5 to have the correct routing or asymetric routing if you plan the return traffic to go directly to the client without F5 but just using SNAT automap and enabling address and port translation https://support.f5.com/csp/article/K8082 should be enough by reading the description of the issue.

  • What do you mean half-proxy? With F5 SNAT automap there shouldn'r be no issue the firewall to be the default gateway but for some reason you have translate-address disabled and translate-port disabled ? Better read this https://support.f5.com/csp/article/K79443053 as if you are talking about asymetric routing https://support.f5.com/csp/article/K13558 then you will need to fix your TCP profiles.

     

     

    About the RST the first RST seem to be normal and matching https://support.f5.com/csp/article/K95191209 but the second ones "TCP retransmit timeout" as described in https://support.f5.com/csp/article/K13223 seem to me to be caused by the server pool member as F5 is sending the traffic to them without translating the destination ip address and port to the ones that the server has.

     

    I really don't get what are you trying to do as your setup is strange and it is like you are playing in a lab. It is like you are trying to do layer2/3 Virtual server setup but without having your servers share the F5 VS ip address and F5 to have the correct routing or asymetric routing if you plan the return traffic to go directly to the client without F5 but just using SNAT automap and enabling address and port translation https://support.f5.com/csp/article/K8082 should be enough by reading the description of the issue.

    • alex_a's avatar
      alex_a
      Icon for Nimbostratus rankNimbostratus

      Thank you very much for the reply. This helped a lot.

      I am trying to set up a Layer 7 HTTP VS purely for load balancing purposes.

      I do not want to use the F5 as a full-proxy. I dont want to create a L4 VS as I want to be able to terminate SSL on the F5.

      That was what I was missing the address and port translation.

      • Perfect as mentioned the first reset was probably the health monitor and the second one was because you did not use address translation and F5 couldn't make the server selection based on pool and routing and this why it seemed like F5 is sending TCP RST to itself. You can configure the same up addresses on the servers as the F5 vip wildcards using the servers loop back but this is if you decide to play around after some time after you have returned to the F5's world 😀