Forum Discussion
parvez_70211
Nimbostratus
Nimbostratusunable to telnet to the VIP but ping work
Hi,
I have an issue where we a VIP configured to listen on port 443. VIP status is up. We are able to ping the VIP but telnet to port 443 isnt working. Did a packet capture and found syn packet flowing into the LTM but see no syn-ack response going out. Port-lockdown has been set to allow all and its a standard VIP.
ltm virtual /Common/cloudv1.test_443 { destination /Common/10.10.10.5%1:443 ip-protocol tcp mask 255.255.255.255 pool /Common/test_pool profiles { /Common/uat_ssl { context clientside } /Common/tcp { } } source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
Also I tried telnet the self ip on the LTM for port 443 but it isnt responding either.
[root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.5 443 Trying 10.10.10.5... ^C [root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.2 443 Trying 10.10.10.5... telnet: connect to address 10.10.10.5: Connection refused [root@LTMnew:Active:Standalone] config
Product: BIG-IP Version: 11.5.1 Build: 5.0.147 Sequence: 11.5.1.5.0.147.0 BaseBuild: 0.0.110 Edition: Hotfix HF5 Date: Wed Oct 1 12:10:21 PDT 2014 Built: 141001121021
Do you think I missed some setting on the LTM?
What_Lies_Bene1Cirrostratus
Any packet filters in play? AFM installed? Auto Last Hope disabled?
parvez_70211packet filter disabled. AFM not installed Auto Last hop enabled globally and default setting at the VIP level.
- parvez_70211
We have ASM installed but the license has been expired. Could this be an issue?
- What_Lies_Bene1
Thanks. The VS isn't associated with ASM in any way based on the config output you posted so I doubt it but worth double-checking.
No http profile assigned I see, is that by design?
I assume routing is configured such that the F5 routes back to wherever your testing from, via the same interface?
FYI, the Port Lockdown setting has no bearing where Virtual Servers are concerned.
natheCirrocumulus
Are you able to run tcpdump and see where this syn-ack might be? I also agree with WLB - you might want to double the routing side of things too- parvez_70211
Nathan/WLB, Thanks for your response.
I don't think there is an issue with the routing here because I'm trying to telnet to the VIP from the same load balancer and the port does not open.
Also when I tried telnet VIP from outside machine with TCPdump enabled on the LB shows only SYN packets coming in and seeing no SYN-ACK or any packets leaving out of the interface.
I had one more query VIP is listening on port 443 and pool members on 80 and translation is enabled. I found Client SSL cert to be missing.I know this is an issue but telnet to VIP on port 443 from the same LTM should show open. correct? NOTE: VIP status is available. No issues with interface.
- What_Lies_Bene1Whatever the SSL configuration, you should still see the 3 way handshake first, before SSL/TLS negotiation can start.
Tushar_129950Hey guys,
Did you get any resolution on this problem? Recently I am having similar problem, from Client machine, I can see packets coming to VS, tcpdump shows LTM VS not responding to SYN.
I can ping VS from Client machine. Only difference to above and my issue is I am able to telnet on port 80 from LTM itself.
mkratochvilCirrus
Same issue here. Telnet to VIP IP/port returns "Connection refused", telnet to pool member IP/port works. Ping to VIP works.
No AFM, no ASM, no packet filters, auto last hop default
Other VIPs work fine
Anup_KmHi All, This same issue encountered by me anyone found solution for this?