F5 VS PR_CONNECT_RESET_ERROR
Hello everyone,
Its been a while since I worked with F5s (7 years) and currently just getting back into.
Im setting up a POC for some testing.
I want to use the F5 as a half-proxy so the backend nodes can keep the firewall as default gateway, so a reverse-proxy setup.
I have one external VLAN with a VS and my nodes are also on the same network as the external VLAN.
Health checks pass everything is green. When trying to connect via browser I get:
PR_CONNECT_RESET_ERROR
Via curl its:
curl: (56) TCP connection reset by peer
Nothing at all is logged in /var/log/ltm (all log levels on info).
I enabled RST loggin in ltm log and all I see is this:
Jun 4 08:38:07 F5-BIGIP-17-LTM-01.tpcolo.local err tmm1[16953]: 01230140:3: RST sent from 10.14.58.83:443 to 10.14.58.110:33630, [0x2f81c25:1038] RST from BIG-IP internal Linux host
Jun 4 08:38:10 F5-BIGIP-17-LTM-01.tpcolo.local err tmm1[16953]: 01230140:3: RST sent from 10.14.58.82:443 to 10.14.58.110:46176, [0x2f81c25:1038] RST from BIG-IP internal Linux host
10.14.58.82/10.14.58.83 are my nodes
10.14.58.110 is the BIGIP address in that VLAN.
Also when the reset happens this is logged:
Jun 4 08:38:11 F5-BIGIP-17-LTM-01.tpcolo.local err tmm[16953]: 01230140:3: RST sent from 10.14.58.112:46728 to 10.14.58.220:443, [0x2f7b6f9:14638] TCP retransmit timeout
Jun 4 08:38:11 F5-BIGIP-17-LTM-01.tpcolo.local err tmm[16953]: 01230140:3: RST sent from 10.14.58.220:443 to 10.10.47.91:46728, [0x2f7b6f9:14638] {peer} TCP retransmit timeout
10.14.58.112 is the BIGIP floating IP in that VLAN
10.14.58.220 is the VS
10.10.47.91 is the client Im testing the CURL from.
VS config below:
ltm virtual HTTPS-GLSTG1 {
creation-time 2022-06-03:07:25:25
description "HTTPS VIP"
destination 10.14.58.220:https
fallback-persistence source_addr
ip-protocol tcp
last-modified-time 2022-06-04:08:34:09
mask 255.255.255.255
persist {
hash {
default yes
}
}
pool STG-TDC-WEB2
profiles {
client-star_domain_com {
context clientside
}
dos { }
http { }
http_security { }
serverssl-insecure-compatible {
context serverside
}
tcp { }
}
rules {
sni-insert
}
serverssl-use-sni enabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vs-index 7
}
Any help would be much appreciated.
Thank you,
Alex
What do you mean half-proxy? With F5 SNAT automap there shouldn'r be no issue the firewall to be the default gateway but for some reason you have translate-address disabled and translate-port disabled ? Better read this https://support.f5.com/csp/article/K79443053 as if you are talking about asymetric routing https://support.f5.com/csp/article/K13558 then you will need to fix your TCP profiles.
About the RST the first RST seem to be normal and matching https://support.f5.com/csp/article/K95191209 but the second ones "TCP retransmit timeout" as described in https://support.f5.com/csp/article/K13223 seem to me to be caused by the server pool member as F5 is sending the traffic to them without translating the destination ip address and port to the ones that the server has.
I really don't get what are you trying to do as your setup is strange and it is like you are playing in a lab. It is like you are trying to do layer2/3 Virtual server setup but without having your servers share the F5 VS ip address and F5 to have the correct routing or asymetric routing if you plan the return traffic to go directly to the client without F5 but just using SNAT automap and enabling address and port translation https://support.f5.com/csp/article/K8082 should be enough by reading the description of the issue.