Forum Discussion
NimbostratusFrom Server, Contact the Web Site hosted on this same Server by the public IP of VS
Hello,
Sorry for my english.
I m trying to contact the web site hosted on ServerA that is present in the private network, by its own VS (Public IP) .
Example: The Web Site hosted on ServerA is accessible from internet by a VIP on our LineController.
I m trying to contact this Web Site (with public IP resolution ) on ServerA from Server A without add entry in host file. But doesn't work
All internet trafic from the serveur are routed by the line Controller until internet.
Could you explain me why I cannot contact its own Public VIP from the server itself?
Thanks for your answers.
youssef1Cumulonimbus
Hi Abdel,
First of it's depending to your dns resolution.
So from your internal network check the following point:
- dns resolution of your entry:
you should resolve with external IP (that's means that you have to set this entry in your internal DNS).nslookup ServerA-
If the dns resolution work fine, check flow/routing/fw.
-
you can also check your proxy pac, maybe you have an exception for internal domain and you try to reach it directly without passing by outside...
Regards,
- Kai_Wilke
MVP
Hi abdel,
this is most likely a asymetric routing issue, which is by design if you don't have any Source NATs in place.
Request: ServerA -> (SRC_IP=A -> DST_IP=X) -> F5 -> (SRC_IP=A -> DST_IP=A) -> ServerA Response: ServerA -> (SRC_IP=A -> DST_IP=A) -> ServerASince ServerA has never created a connection to itself, the connection will simply break.
The solution would be to enable SNAT globally on the Virtual Server or via an iRule if the SRC_IP is matching certain subnets (those which would otherwise experience asymetric routing issues).
Cheers, Kai
abdel_387674The result of my tcpdump on the LC
Server Private IP is 10.90.0.1 Virtual Server IP 213.0.0.1
16:42:07.527950 IP (tos 0x0, ttl 63, id 7912, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3c81 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479708694 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis= 16:42:08.526658 IP (tos 0x0, ttl 63, id 7913, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3b87 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479708944 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:10.530118 IP (tos 0x0, ttl 63, id 7914, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3992 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479709445 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:14.541970 IP (tos 0x0, ttl 63, id 7915, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x35a7 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479710448 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:19.527582 IP (tos 0x0, ttl 255, id 50747, offset 0, flags [DF], proto TCP (6), length 40) 213.0.0.1.http > 10.90.0.1.52729: Flags [R.], cksum 0x2f91 (incorrect -> 0x09e0), seq 0, ack 1831942911, win 0, length 0 out slot1/tmm0 lis=/Common/VSTEST
- abdel_387674
Thanks you so much Youssef and Kai Wilke.
The SNAT is the solution.
