SSL server profile with external website

OK, I am not well-versed in using interface "0.0" - I just copied that from Nathan. Perhaps that is why you aren't seeing any traffic. Personally, I would reference the name of my external VLAN in the tcpdump command, which for me is named "external", like this:

tcpdump -nni external host 74.125.131.94

Also, what is the process you are using to test this VIP? Are you hitting http://192.168.10.233 with a browser, or curl, or some other browser-like tool? Since you applied an HTTP profile, the LTM is expecting to receive a full and valid HTTP request before it opens up a connection with the Pool Member. So if you don't sent a full HTTP request to the VIP, you won't see a connection to the Pool Member.

One final note...it looks like you're running V11 which I have no experience with. So there may be something I'm not aware of (like "Source" - I don't know what that is or what it does).

I'm using 11.2.x and i don't see a Source field. Presume this is a 11.3 or 11.4 feature? Is it an ACL or something related to the AFM module? Will have to look into this.

Anyway, 0.0 captures traffic on all interfaces but smp is right you may as well be more specific.

You've shown the VS and node details but what about the pool? I presume the pool member is up? What monitor do you use here?

Is the traffic traversing any firewalls past the F5 which may be blocking the connection? Or at least proving that the traffic is leaving the F5 (from the fw logs)?

N

smp - it was introduced in 11.3

Description = Specifies one or more specific client (source) addresses from which the virtual server accepts traffic. Note that although you can specify values for both the Source and Destination settings, a destination match takes precedence over a source match. That is, a virtual server with more specific destination matching is selected over a virtual server with more specific source matching.

Default Value = any/0 (IPv4) or any6/0 (IPv6)

If this is a LOCAL virtual server that's intended to provide access to a REMOTE service (www.google.ca), then there are a few things to consider:

1. Does the BIG-IP have access to the Internet? Have you configured a default route? And can you cURL to https://74.125.128.94 from the BIG-IP command line?

    

2. You probably don't need SNAT since Google will have no choice to route back to you. Though SNAT shouldn't hurt you either way.

    

3. Google has a tendency to use a lot of servers for a single service, and not always the same IPs. Statically mapping www.gooole.ca to a single IP address may a) break Google-initiated redirects to other URLs and page content that also lives somewhere else, and b) suffer a potential outage when Google changes its IPs. I also wouldn't put money on them always responding to pings.

    

Thanks guys, I ended up configuring a new route through a vlan and it's working now.