Forum Discussion
NimbostratusVIP is not responding on SYN after enabling other modules like ASM, APM and AFM.
Hi all,
I have an F5 VE running 17.5.1.3 in my lab environment for learning purposes. As back-end I installed the phpauction webpage and all configuration works flawlessly if only the LTM module is enabled. This in the most simple form:
Virtual server on port 80.
TCP profile
HTTP profile
Pool
Automap
When I add another module, for example ASM, the vip stopped working although it's still green/up and not even a security policy has been attached to the vip. Captures show that the SYN is reaching the F5 but I do not get a response from it:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type EN10MB (Ethernet), capture size 65535 bytes
16:24:51.691462 IP 192.168.1.100.64282 > 192.168.2.10.80: Flags [S], seq 5173934, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis= port=1.1 trunk=
16:24:51.942738 IP 192.168.1.100.64625 > 192.168.2.10.80: Flags [S], seq 1642892817, win 65535, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis= port=1.1 trunk=
I checked the back-end connection as well but the F5 is not sending out the SYN to the webserver. So it looks like it's blackholing my traffic. When I disable ASM and use only LTM, everything starts to work again. Even when trying with different modules like APM, the same issue happens. VIP is not responding after only enabling APM or AFM.
I tried the following:
- Factory reset the machine.
- Upgrade to 17.5.1.3.
- Enable RST CAUSE. (but there isn't any because the SYN isn't there in the first place)
- Force reload config on the mcpd process.
- Enabled ltm debugging without receiving any logs about the connection.
- Looked into the dos and bot defense logs to see if traffic is dropped at an earlier point in the chain.
- Enabled tmm debug without getting any relevant logs.
- Changing the vip from standard to fastl4.
- Remove http profile.
I did play a lot with other modules as well like ASM, APM, AFM, SSLO, DNS, so that's why I though it was a configuration issue at first. But make the machine factory default, did not solve it. Is it possible there are some left overs during my learning path on this machine?
Do you know what additional steps I can take to solve this issue?
Thanks.
Best regards,
Mitchel
9 Replies
ShyyCirrus
Never heard such a thing,
are we talking about only after provisioning the modules, and right after the VIP stops working?or when adding an APM policy or ASM policy to the VIP it stops working?
tjoll66Yes, so when LTM only is enabled the vip works fine. Then after enabling, for example ASM, the vip only responds to icmp but is not responding to my SYN packet. Even when I haven't created and attached a policy yet. The same happens when provisioning APM. In that case I have LTM + APM enabled; same response: icmp works, http doesn't. Also when combining LTM + ASM + APM + AFM.
I think I played a lot with the configuration for learning purposes of my 401 exam, that something broke under the hood. Today I tried to clone the VM and attach a trial license; same issue. So it's definitely something strange going on under the hood.- tjoll66
Hi Shyy,
No the policies haven't even been attached to the vip. So only enabling the module will have impact.
- Aswin_mk
MVP
Hi,
Did you check the CPU,RAM required for new modules (vCPU,RAM).
BR
Aswin- tjoll66
Hi,
CPU and RAM seems to be okay. I've got 8vcpu's and 64GB of ram. I would be surprised if the F5 needs more for only 1 vip in a lab environment with about no traffic passing. I did check some memory related logs like OOM but I could not find any.
- tjoll66
A few days ago, I tried to open a tac case but apparently my support is expired. So that was a trigger it might be related to the license.
I tried the following:
- Clone the vm in esxi. Revoke the current lab license. Generate a new trial license and attach it to the cloned vm. Guess what?? Still nothing.... Same issue is present on the new trial license.
- Imported a new ovf file and did a backup restore to a new vm. Also needed to attach a new trial license. And still nothing... issues is carried in the backup as well.
- Imported a new ovf file and rebuilt the f5 from scratch manually. This is the only way to get things working with the additional modules. But because it's a trial, it's not ideal.
I'm actually lost where to look. It's something on that machine but I don't know what.
- Shyy
Even if you don't have license for provisioned modules it won't cause what you're having.
Never heard such issue before,
I created a lot of VM's never encountered such issue before.
might actually just be a problem with the VM image itself.
