Forum Discussion
NimbostratusNoob: Website is not available.
Hi all, Very new to f5 equipment and have run directly into a snag.
Here's what I have (not my real ips)
Untrust IP: 6.6.6.41 Production trust IP: 1.1.1.1 DMZ IP: 2.2.2.1
Untrust VIP: 6.6.6.42 maps to DMZ IP 2.2.2.15 (f5 virtual server pool) Untrust VIP: 6.6.6.44 maps to Prod IP 1.1.1.142 (Web Server)
Policy allowing http port 80 from untrust to VIP 6.6.6.44 (f5) and VIP 6.6.6.42 (direct to web server)
F5 virtual server 1 internal node: 1.1.1.142 Source IP: 2.2.2.15 Pool: http
I can telnet to port 80 to both VIPs I can browse to the website on 6.6.6.42 (this rules out firewall issues) When I browse to the website that points to the f5 VIP I get website not available.
What am I doing wrong here? What can I do to see what the problems might be. I am green behind the ears and appreciate any input anybody has!
4 Replies
jwham20Alrighty, first thing first, need to clarify the situation:
So, we have some F5 gear, is it just LTM (load balancing) or AFM (Firewall)?
Next, the network:
External/Client IPs: (looks like you call them Untrust IPs?) 6.6.6.41
Virtual Server IPs: 6.6.6.42 - Direct to Webserver.. do you mean it goes around the F5 device? Or is it a fastl4 virtual server? 6.6.6.44 - Says Mays to Prod IP 1.1.1.142, Do you mean this virtual server has a pool assigned to it, that contains the pool member 1.1.1.142?
Pool Members: 1.1.1.142:80 ?
So... Quick DL on a basic Load Balanced HTTP server Setup.
3 Components: Clients Virtual Server Pool
------Clients: Where your traffic sources from, say IP: X.X
------Virtual Server: Listener on the LTM that is listening for connections from the Clients. In the case of an HTTP setup, we'd have something like:
IP: y.y.y.y Port: 80 Snat: Automap (often needed to clear up asymmetric routing issues. Can explain more, but that's another conversation) Http Profile: HTTP
-----Pool: Contains the IPs of the actual webservers and the port they are listening on. In case of basic HTTP:
IP:z.z.z.z PORT: 80 Monitor: HTTP (checks to be sure the member can be reached by the F5.
So the traffic path looks like:
Client X.X -----> LTM VS Y.Y.Y.Y:80 ---> POOL Member z.z.z.z:80
0_169865Josh, I apologize for the delayed response. You hit the nail on the head, it was the SNAT. Automap fixed it right away. Is there way to give you credit for the help?
Also, I have another problem I'm trying to work out. I'm taking the online classes, but you may be able to answer right away. I have a SharePoint farm the config looks like this
Web front end Web 01: 10.1.1.11 Web 02: 10.1.1.12
Various iis sites using host headers: test1.contoso.com:5678 - utilizing ssl test2.contoso.com:5687 - utilizing ssl
Going through the firewall, directly to the web site, it works correctly. Going through the f5, it goes to the default site iis web page.
I really have no idea what I'm doing, but I'm sure I have it configured wrong.
SynACk_128568Cirrostratus
Hi can you clarify the question what is the traffic flow/setup ? Is virtual server configured and pool is assigned to it ? what is your Virtual config .
- 0_169865
Hi Josh and SynAck, I apologize for the long delay, I am a SharePoint noob as well and it turned out to be my SharePoint alternate access mappings.
But for transparency, I have an http pool setup with two backend nodes. All defaults. I have an http virtual server all defaults except the Automap SNAT.
Cool stuff, a lot to learn and test. Thanks for your help, really appreciate it!
