Forum Discussion
Fail to access DVWA which is behind F5 LTM
hi Team,
Step 1.
Tried to setup the DVWA docker accordingly to below link:
https://github.com/ethicalhack3r/DVWA
docker run --rm -it -p 80:80 vulnerables/web-dvwa
When access the DVWA from internet, it works and can access the login page.
Step 2.
Then adds that DVWA server as pool member in F5 LTM, it then failed to access when access via the Virtual Server ip address from internet.
A few key items:
- the F5 setting should be correct, as once i change the pool member to a Nginx web server, it works instantly. Thus, the F5 configuration should be no problem. (SNAT auto-map is configured)
- if access the DVWA in the same network, it works
- the access.log of Apache shows below when behind the F5:
10.1.1.14 - - "GET /" 302 0 "-" "-"
Where the 10.1.1.14 is the VS IP address
Any clue? i wonder it may needs to change some configuration on Apache or so. See if anyone encounter before? Thanks
Br,
Sam Fok
- Martin_ŠebekAltostratus
How does it come that log file on Apache shows 10.1.1.14 as a client IP address along with it is configured as VS IP address with SNAT automap? The traffic should be SNATed behind floating IP address of the eggress VLAN.
I would recommend using tcpdump to check what is going on.
tcpdump --nni 0.0:nnnp host 10.1.1.14
- SamFokAltostratus
Thanks Martin,
It may due to the F5 LTM is deployed as Single Nic in the GCP, where:
10.1.1.14: LTM IP (single nic)
10.1.1.15: DVWA IP
XX.XX.XX.XX: masked public ip from my computer
Capture the said tcp dump as attached, and in the last few entries,
------------------------------------------------
10:25:00.492238 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 10, ack 2, win 222, options [nop,nop,TS val 1013071 ecr 2516564255], length 0 in slot1/tmm0 lis= flowtype=66 flowid=5
600019C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E r
emoteport=80 localport=43358 proto=6 vlan=4094
10:25:00.492248 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 1908046924, ack 2, win 222, options [nop,nop,TS val 2592968267 ecr 2516564255], length 0 out slot1/tmm0 lis= flowtype
=130 flowid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFF
F:0A01010F remoteport=43358 localport=80 proto=6 vlan=4094
10:25:00.492398 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 1908046925, win 1018, options [nop,nop,TS val 2516564255 ecr 2592968267], length 0 in slot1/tmm0 lis= flowtype=130 flo
wid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFFF:0A0101
0F remoteport=43358 localport=80 proto=6 vlan=4094
10:25:00.492407 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 11, win 1018, options [nop,nop,TS val 2516564255 ecr 1013071], length 0 out slot1/tmm0 lis= flowtype=66 flowid=5600019
C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E remotep
ort=80 localport=43358 proto=6 vlan=4094
------------------------------------------------
it does see back and forth communication between the LTM and DVWA servers.
Any comment? thx.
Br,
Sam Fok
- Martin_ŠebekAltostratus
Check the status of the pool you are sending traffic to. In tcpdump output there you can see resets with cause No pool member available. So it looks like BIG-IP has marked all pool members as down and therefore the whole VS is unavailable.
- Richard_TocciEmployee
DVWA replies with a 302 by default. The monitor won't work in this case. If you turn on monitor logging on the pool member, you'll see a message something like this:
[0][13152] 2023-06-23 08:00:06.439883: ID 24 :(_do_ping): time to ping, now=[1687525206.439594][2023-06-23 08:00:06],
status=DOWN [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=-1 pend=0 #conn=0 up_intvl
=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1687525206.438613][2023-06-23 08:00:06] last_ping=[168752520
1.468029][2023-06-23 08:00:01] deadline=[1687525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10609 rcv_
cnt=0 ]
[0][13152] 2023-06-23 08:00:06.439973: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=none ]
[0][13152] 2023-06-23 08:00:06.439988: ID 24 :(_connect_to_service): creating new socket (rd0) [ tmm?=false td=true t
r=false addr=::ffff:10.1.20.17:80 ]
[0][13152] 2023-06-23 08:00:06.440059: ID 24 :(_connect_to_service): connect: Operation now in progress [ tmm?=false
td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.440082: ID 24 :(_do_ping): post ping, status=DOWN [ tmm?=false td=true tr=false addr=:
:ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=1 #conn=1 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0
next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[16875252
11.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ]
[0][13152] 2023-06-23 08:00:06.440586: ID 24 :(_main_loop): Activity on pending service, now=[1687525206.440575][2023
-06-23 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=1
#conn=1 ]
[0][13152] 2023-06-23 08:00:06.440603: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.440620: ID 24 :(_send_active_service_ping): writing [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ] send=GET /\x0d\x0aHTTP/1.1\x0d\x0aHost: \x0d\x0aConnection: C
lose\x0d\x0a\x0d\x0a[0][13152] 2023-06-23 08:00:06.440641: ID 24 :(_send_active_service_ping): sent ping [ tmm?=false td=true tr=false ad
dr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 imme
d=0 next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[1687
525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ]
[0][13152] 2023-06-23 08:00:06.442031: ID 24 :(_main_loop): Service ready for read, now=[1687525206.441995][2023-06-2
3 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=0 #con
n=0 ]
[0][13152] 2023-06-23 08:00:06.442056: ID 24 :(_recv_active_service_ping): reading [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.442089: ID 24 :(_recv_active_service_ping): read failed [ tmm?=false td=true tr=false
addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.442130: ID 24 :(shutdown_service) Closing logging file /var/log/monitors/Common_http_d
vwa-Common_10.1.20.17-80.log
Adjust your monitor to look for the redirected URL:
GET /login.php\r\nHTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com