Has anyone out there experienced a similar issue? I'm testing 11.4.1HF3 and 11.5.0 for a replacement APM installation. The APM works fine for Citrix (No web interface, the webtop is configured for citrix remote desktops). When I put VMWare View remote desktops on the webtop, the citrix still works, but the VMWare View ones showup as a broken icon. Looking at the traffic between APM and the VMWare brokers, we see the request sent, and then the connection closes... Using the exact same request via curl (From the APM server) results in the XML response coming back correctly... Anyone got any idea what the VMWare View broker is expecting? Literally the only thing different between curl (Working) and APM (Not working, is the User Agent, accepts and Content-Type headers... But I can't believe I'm the only one as F5 Supporta re yet to find any errors in my config... (And it's not like the deployment guides for VMWare View are any more involved than Citrix or ahave anythign ultra special in them). This isn't a problem with the PCoIP traffic. We can't even get that far. It's the initial request from Client to Broker that's failing.. H

Hamish, It definitely should work. Have you provided vdi debug log to F5 support? vdi debugging is turned up from tmsh: tmsh modify sys db log.vdi.level value debug Don't forget to turn it back to notice after you're done troubleshooting. Also, what version of VMware View are you testing with? If you upload qkview with debug log information to iHealth, message me the link and I will take a look - have not seen that issue before at all.

yeah. It's a weird one... F5 Support have all the debugs. but they seem as stumped as me... I'd like to blame the VMWare itself. But hard to when it looks like bigip is closing the connection and resetting it. Plus curl manages to get a response... I think they're running 5.0? (The broker Version reported in the XML from the response curl gets is 7.0, but I don't know how that relates to VMWare View version) I'll upload a qkview (Need to generate a new one, I've just put 11.5.0 on there. Not sure I like it... I know they won't let me use 11.5 in production until at least 1 HF rollup comes out :) ) H

Hamish, Actually, it's extremely important to find out what version of View they are running, because only View 5.2 or later is supported - 5.0 is not supported and does not work.

Yeah. Any browser, any OS... MacOSX 10.9.2 and Safari MacOSX 10.9.1 and Safari Also Firefox, and Chrome with the above two OS's Plus Windows. XP and 7. Using IE, Firefox & Chrome. Pretty much a full house... haven't tried a direct VMWare View Client. It's all browser access at the moment.

No Reply from VMWare View broker...

15 Replies

Hamish
Cirrocumulus
Mar 03, 2014
Yes
Not exactly. I have a webtop. Up till friday the view connection broker wouldn't respond. By adding in client certs to a new the server_ssl profile it started to respond. Might have been VMWare config perhaps (We got strange cert auth errors until I did that. Maybe it was SSL level negs. Same request worked fine with curl, UNLESS you disabled TLS (i.e. would;t work with SSLv2 or SSLv3). Since Saturday (Change of server_ssl profile), the broker works. HOWEVER it only works for HTML5 client. Not for Horizon View from web top (Connection opens and the VDI RESETS (tcp reset) the connection to APM after about 150ms.
That's correct. A SNAT pool doesn't work. It doesn't matter WHAT I specify for SNAT. The BigIP's selfip is ALWAYS used (There is no floating selfip the APM is stand-alone currently. Will be 3 of them load-balanced by GTM eventually).
Any cert. I'm going to play more. It may be tied to versions of SSL enabled on the profile. But VMWare doesn't log WHY it closes connections. It just does... Grr..

Note. I don't believe this is an APM problem now (Except in as far as a config error at APM could be causing it, but the lack of logs from VMWare explaining WHY it's closing the connection is... annoying...

We're getting closer... Different connections closing now... But the connection broker works...
Andrey_Terentye
Historic F5 Account
Mar 03, 2014
Thanks for this information.

It looks like there are several problems here:

SNAT pool is not working
Horizon View client time outs establishing connection from APM Webtop
HTML5 client uses port 22443. I assume you mean the connection from APM to View Desktop. This should be documented by VMware.
There is some mysterious problem on SSL layer.

I wonder if (4) is caused by configuration on View Connection Server? I only have 5.2 environment and I can't recall any such certificate option in GUI except for SmartCard auth which APM does not support at the moment. I assume it's something else - but still worth checking. Also, there are a bunch of options that VCS does not expose to GUI - they are configured via "locked.properties" file somewhere under VCS installation folder. Maybe you have something there?
Hamish
Cirrocumulus
Mar 03, 2014
Agreed.
Not timeouts. You can see the connections made. VMWare RESETS (tcp reset) the connections AFTER they're established.
HTML5 works. No issues with that. Yes, over tcp/22443
Well, there was an issue. I need to do some more investigation to find out WHAT was wrong with the server_ssl profile. Probably a setting in VMWare somewhere. But we haven't found out what yet...

H
scott_messler_1
Nimbostratus
Jul 14, 2015
Hamish,

It appears we are having a similar issue with the F5 timeout when connecting to a VMware View 5.3 connection server. The strange part is I can authenticate to APM and from the APM logs the connection was sent down the correct allowed branch but then I receive a connection with the server was terminated abnormally View error. Just curious if you ever found a solution.

Thanks, Scott
Hamish
Cirrocumulus
Jul 15, 2015
Umm... yeah. There's a couple of other postings around here on what we had to do. I keep meaning to try & have words with the devs about making sure that the logs from APM mean something and provide meaningful info when you're trying to debug things. There's a few places where the logs are just a wee bit too subtle.

The biggest things I found were

Missing the server name being set in the PCOIP ssl profile used for connecting to the server
Adding either an AVR or logging profile to the VS (Silent failures)

2 is more likely... It just breaks. I added a custom iRule to log the info. I suspect that when the PCoIP stream is started the AVR/Log profile isn't disabled, and they abort the stream because they can't interpret the traffic (I still dislike that feature/bug).

Hamish

Forum Discussion

No Reply from VMWare View broker...

15 Replies

Recent Discussions

Deleting Old Certs

redirect irule

Pool Members communication with B-party via F5 VIP

GCP F5 deployment - Active -Active with config Sync

GSLB - Monitoring LTM VIP load balancing via iRule

Related Content

Downloading VE for VmWare

Home Lab Server Build Using an Intel NUC and Free VMware ESXi 7

Getting Started with BIG-IP Next: Installing Central Manager on VMware ESXi

F5 StoreFront XML Broker Monitor

Getting Started with BIG-IP Next: Installing Instances on VMware ESXi