For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Jul 20, 2015

Members are marked down by LTM wheres telnet works

I have created simple Virtual server set up where the VIP is in 172.17.51.x subnet and self IPs are in 172.27.51.x subnet. Servers are in 172.30.220.x subnet hence we have added FW rules to allow the communication from LTM to servers.

 

virtual VS_sbce.xxx.co.uk_HTTP { snat automap pool POOL_sbce.xxx.co.uk_HTTP destination 172.27.51.x:http ip protocol tcp partition SecureSync profiles http tcp }

 

pool POOL_sbce.xxx.co.uk_HTTP { min active members 1 monitor all http partition SecureSync members 172.30.220.x:http priority 1 }

 

Status of pool member:

 

+-> POOL MEMBER POOL_sbce.ironmountain.co.uk_HTTP/172.30.220.x:http inactive,addr down | session enabled priority 3 ratio 1 | (cur, max, limit, tot) = (0, 0, 0, 0) | (pkts,bits) in = (0, 0), out = (0, 0) | requests (total) = 0

 

Telnet to the server works fine but ping fails. [didey@UKMKSF5MGT01:Active] ~ telnet 172.30.220.x 80 Trying 172.30.220.65... Connected to 172.30.220.65. Escape character is '^]'. ^] telnet> quit Connection closed.

 

Any idea should I look at ICMP part. The server is amrked Offline/Parent down by LTM.

 

3 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 20, 2015

    It appears from your configuration that you are trying to monitor via http, so you will need to test your monitor string from the command line with curl to your servers. Make sure your http monitor is configured in a way that your server will respond successfully. Check troubleshooting monitors.

     

  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Jul 20, 2015

    It sounds like there is an ICMP monitor marking the nodes down. What are the nodes status? If they are down (red diamond shape) then try removing the ICMP monitor from the nodes (Local Traffic>Nodes>Default Monitor) and see if the http pool becomes available/green. If so then most likely ICMP is being blocked somewhere on your network. It is not required to monitor nodes, as long as the pool monitor is working correctly the members will be available.

     

  • dipta_03_149731's avatar
    dipta_03_149731
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2015

    Yes Scott, you are right ICMP is not allowed for this particular environment and I could see gateway_icmp monitor on the node . I just removed it and configured http monitor.

     

    Jason thanks for your response as well. I had to test the http monotir through curl and tweak the GET and receive string.

     

    All working fine now. Thanks a lot to both of you!!