Forum Discussion

kismiss's avatar
kismiss
Icon for Altostratus rankAltostratus
Sep 19, 2023

Failed to connect via GTM/LTM

Hi All,

We have vertical kubernetes cluster and put F5 (GTM/LTM) in front of the cluster. Service to service call will be go to GTM/LTM before go to micro service (workload/pod):

service A -> GTM/LTM -> service B

We have problem that the call from service A cannot reach service B (Failed to connect). How to debug/log from GTM/LTM side ( the network team cannot see the data package because it's encrypted )?

If anyone can give advice will be appreciated.

Thanks!

 

8 Replies

  • you can also try making f5 behaving like a web browser by using cURL command (See URL )

    curl -kv https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP>

     

    The cURL help is your friend  

    curl --help

    Some of the more common options are:

    -v for verbosity
    -k to ignore certificate issues
    -d to issue a POST with POST payload data
    
    curl -vk https://www.example.com/foo -d 'user=admin&password=admin'
    
    -X to explicitly define the request method
    
    curl -vkX POST https://www.example.com/foo/bar -d 'user=admin&password=admin'

    The -v option is going to your best tool for troubleshooting monitors. You'll of course want to perform captures to see what the monitor is actually sending and receiving, and curl -v will allow you to simulate these requests.

     

  • Hi,

    So lets break this down, from this flow

    service A -> GTM/LTM -> service B

    can you confirm you have GTM setup with a suitable FQDN ? So we are checking DNS.
    So from service A, can you nslookup the FQDN you want to get to and get the IP address you are expecting which is hopefully your LTM VS VIP?
    Lastly before we dig deeper, if you get a good IP back, can you ping that ip?
    Also check you service A server's dns config - is it pointing to the correct place?

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      kismiss In addition to what PSFletchTheTek has asked. Can you verify that the communication between service A and service B has to pass through the GTM/LTM in order to communicate between those two services? If the F5 is not in path between those two services you will have to configure SNAT on the virtual server in question from service A to service B because that could be what is causing the issue. When configuring SNAT I recommend using a snatpool that uses the IP of the virtual server that service A is attempting to connect to rather than AutoMap.

      • Amr_Ali's avatar
        Amr_Ali
        Icon for MVP rankMVP

        kismissIn addition to Paulius verification request, and if I understand correctly you will need to configure the virtual server on the LTM module to make the destination NAT to allow service A to reach service B,

        and if you can share the topology design that will be useful in understanding the issue, as I think you use the F5 LTM/GTM modules to work as link controller functions

  • Dear PSFletchTheTek Amr_Ali Paulius Thanks for your quick response,

    Sorry, I need to clarify that this connection problem happened intermittently. Connection from service A to service B actually has already established and many of them has connected successfully. However, there are some failed connection founded in the service log which is what I meant in the previous question. Therefore, I want to ask how to log/trace from F5.

     

    Thanks

     

     

    • Amr_Ali's avatar
      Amr_Ali
      Icon for MVP rankMVP

      kismiss which type of virtual server that you configure to make service A reach to service B ,

      and you can use this command to check the connection between A and B

       tcpdump -envi 0.0:nnnp -s0 host < ip of service a or ip of service B >

      or you can run this command to tack the packet capture file

      tcpdump -envi 0.0:nnnp -s0 -w /var/tmp/filename.pcap host < ip of service a or IP of service B > and thin use Winscp program to connect on LTM and check the capture file

  • kismiss - thanks for following up. If your issue has been resolved please click Accept As Solution (multiples are ok) on the relevant replies. This helps our community in the future find good answers when they have the same problems.

    Thanks for joining and being a part of our community.