Forum Discussion

iamcejiro_16285's avatar
iamcejiro_16285
Icon for Nimbostratus rankNimbostratus
Jun 05, 2017

Unable to telnet VS IP from PC on the same network.

Hi,

We have configured standard VS with IP of 10.2.5.69:80 with pool of 10.2.40.121 (service is 80). Pool and VS status is enabled/UP but when we try to telnet the VS IP from test PC (10.2.5.50) which is on the same network of VS, telnet is failing.

Other isolation made: 1. Telnet VS IP from F5 cli. Result: telnet is successful 2. Telnet from F5 to backend server using port 80. Result: telnet is successful

Why telnet from the same network of VS IP is failing? From tcpdumps, VS IP is sending RST.

VS config below:

ltm virtual /Common/VS_FuelCareer {
    destination /Common/10.2.5.69:80
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/FuelCareer
    profiles {
        /Common/Fuel_Career {
            context clientside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual-address /Common/10.2.5.69 {
    address 10.2.5.69
    arp enabled
    icmp-echo enabled
    mask 255.255.255.255
    traffic-group /Common/traffic-group-local-only
}

Thanks.

LTM
security
  • Amanpreet_Singh's avatar
    Amanpreet_Singh
    Icon for Cirrostratus rankCirrostratus
    Jun 05, 2017

    Hi, Seems like there are some Access Policies that is restricting Telnet to complete in your case. Checkout 'F5RST: Policy Action' in your packet capture screenshot.

     

    • iamcejiro_16285's avatar
      iamcejiro_16285
      Icon for Nimbostratus rankNimbostratus
      Jun 06, 2017

      Test PC and VS IP are on the same network (like a back-to-back connection). No policy between the two.

       

  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus
    Jun 05, 2017

    check couple of things

     

    1)make sure u r self ip 's are not duplicated , verify the ARP from the switch for all IP & Mac address

     

    2) any inline device between client & F5 also verify client pc subnet mask & gateway is this part of same vlan or separate vlan (10.2.5.0/24)

     

    3) did u Applied the standard http profile

     

    4) is the VS status into green wht about pool health check is it green

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 05, 2017

    Hi,

    Try to reset rst-cause stats - 

    tmsh reset-stats net rst-cause
    .

    The run 

    watch -n 1 tmsh show net rst-cause

    Then try to connect and see which counter was increased - based on that it will be easier to find out why F5 is resetting connection.

    For sure ARP is working for you as SYN is delivered to F5 and there is RST reply from F5.

    I am suspecting that:

    profiles { /Common/Fuel_Career { context clientside }

    means that you have clientssl profile attached to VS, or I am wrong here? If so when you try to telnet, connection will be rejected as well but after 3WHS.

    Seems like some Packet Filter or AFM rule is responsible.

    If first then in rst-cause you will see increase in Packet filter (reject) counter.

    This is likely because connection initiated from F5 cli is not rejected by Packet Filter.

    Piotr