no outbound traffic pool

Question

Hello,&nbsp;Kindly help me solve this issue please.My pool member is not getting any outbound traffic. Inbound traffic is ok.--Below the vs config&nbsp;ltm virtual VS_force {destination xxxxxxxx:443ip-protocol tcpmask 255.255.255.255pool POOL_forceprofiles {clientSSL {context clientside}http { }tcp { }}source 0.0.0.0/0source-address-translation {type automap}translate-address enabledtranslate-port enabledvs-index 87}--Below the pool configltm pool POOL_force {members {NOD_force {address xxxxxxsession monitor-enabledstate up}}monitor tcp}Thanks in advance.

kevin_stewart · Answer

Let us analyze this from a traffic flow perspective. As a proxy, and in this configuration, the BIG-IP is going to both NAT and SNAT the traffic to the pool member. So let's use some comcrete examples:

BIG-IP external self-IP: 188.188.1.1
VIP address: 188.188.1.100
BIG-IP internal self-IP: 192.168.1.1
Pool member: 192.168.1.100

Traffic arriving at the BIG-IP VIP has the true client IP and a destination IP of 188.188.1.100 (the VIP). The VIP takes the traffic, decrypts, selects a pool member, NATs (changes the destination address to 192.168.1.100), and then SNATs (changes the source address to 192.168.1.1). So at the pool member, it sees a destination IP of itself, coming from the internal self-IP of the BIG-IP. If you tcpdump at that internal VLAN between the BIG-IP and the pool member, you should see exactly this:
tcpdump -lnni &lt;internal vlan&gt;
It would be useful to do this tcpdump to observe what's actually happening. You might see the client requests coming in, but maybe not going out? Or you might only see health monitor traffic? Either of these will increment the inbound traffic counters.
If you see client traffic coming in, but nothing coming back:

Is it because the pool member is expecting TLS but you're not re-encrypting? In this case you might see a completed TCP 3-way handshake but then a RST directly after.
Is it because the pool member is not correctly configured to respond? You could do a curl request from the BIG-IP shell to the server to see if it can respond.

&nbsp;

buulam · Answer

Hey&nbsp;sbroulaye&nbsp;, you're trying to configure the ability for your pool members to initiate traffic destined outbound?

kevin_stewart · Answer

it's hard to say for sure, but since the .18 (presumably) monitor traffic is doing well, it would seem as if the server never completes the TCP 3WH for the .16 request. I also see two different ports (32255 and 32270). Are you certain the server can respond on that port, or isn't in any way configured to block .16? If this is a web app, can you curl to it from the BIG-IP?
curl -vk http://172.17.31.254:32255

sbroulaye · Answer

Hi&nbsp;buulam, NO !The problem is that when clients are web browsing to the VS, the page is showing&nbsp;ERR_CONNECTION_RESETWhen I check the statistics of the pool, there is inbound hits but no oubound traffic (0)Hope you understand, I'm new in BIG-IP management.

sbroulaye · Answer

Thanks Kevin for this insightful explanation.Please find in attachment the logs I collected from the tcpdump input you asked to do.I would like to know why the pool member (172.17.31.254) is communicating both with the self ip (172.17.31.18) and the floating ip (172.17.31.16). Because our BIG-IPs are in HA active/active mode, so the traffic to the pool member is going through the floating ip.Thanks in advance.

Forum Discussion

no outbound traffic pool

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

How to Create IRule to divert traffic between Pools based on XFF Header

Traffic Shaping and Atlassian Jira

Logging TLS traffic less than TLSv1.2

SNAT for outbound connections from members to internet and intranet

F5 Inspects All Outbound Traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS