For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dj_22414's avatar
dj_22414
Icon for Nimbostratus rankNimbostratus
Aug 28, 2009

Regarding load bal resetting connection ....

Hi,

 

I am having weird issue wrt F5 LTM settings.

 

I have F5 set up as SSL terminator, and there 2 Apaches behind virtual server configured on F5. Apache's are running on port 80.

 

 

Now, SSL is working well, and I could browse around the application in the browser on HTTPS.

 

But, at one point, application launches a popup, i.e. nothing but certain module of same app. The issue is, this popup shows correct data as long as data is coming from same server. If server for some reason returns 302, this popup shows a screen with message connection reset by server.

 

In Apache log, I do see 302 being sent in response. I added irule in LTM to see if load bal receives it or not, and surprisingly load bal did not receive this 302.

 

 

I am perplexed with this behavior as why this happens on 302s, and overall logic behind connection reset, and missing 302 from LTM logs.

 

 

I came across something called SNAT config, but not sure if that is right way to go as am at loss in coming up with logic for current behavior. Any help would be greatly appreciated.

 

 

Regards,

 

Dhananjay.
config
design

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2009
    Hi Dhananjay,

     

     

    If Apache is sending a 302 response to the LTM but you don't see the response being parsed on LTM, I'd suggest capturing tcpdumps on the web server and each VLAN that the traffic passes the LTM through. You can use syntax like:

     

     

    tcpdump -i 0.0 -s 0 -w /var/tmp/ltm.1.dmp host CLIENT_IP or host SERVER_IP

     

     

    If you need help capturing or analysing the tcpdump, you can open a case with F5 Support.

     

     

    Aaron
  • dj_22414's avatar
    dj_22414
    Icon for Nimbostratus rankNimbostratus
    Aug 28, 2009
    Hi Aron,

     

    Thanks for the prompt response.

     

    I will certainly try this. There are no extra hops in between to swallow 302.

     

    But, could be the case that LTM is resetting connection for whatever reason, and also forgoing 302 from Apache.

     

    Is there need to have SNAT configured?

     

    Regards,

     

    Dhananjay.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2009
    If you get any response via the VIP to the Apache web server the routing should be fine. tcpdumps should give you enough information to continue troubleshooting the issue.

     

     

    Aaron
  • dj_22414's avatar
    dj_22414
    Icon for Nimbostratus rankNimbostratus
    Aug 28, 2009
    Hi Aaron,

     

     

    Noticed a weird thing in tcpdump.

     

     

    Followed by 302 form Apache, there is ACK.

     

    But, there are 2 consecutive RSTs sent. It means that load bal closed the connection unexpectedly ...

     

     

     

    is this correct interpretation, and any clues on what could be going on here?

     

     

    Regards,

     

    Dhananjay.