Forum Discussion

genseek_32178

Nimbostratus

Jan 07, 2013

VIP issue

Hi,

We have the following VS setup,

virtual vl100-bz {

snatpool bz-vl100

pool bz-pl

destination 172.20.10.50:https

ip protocol tcp

persist persist-profile

profiles {

http-xforward {}

tcp{}

}

vlans 100 enable

}

Src client - 172.20.10.8

snatpool bz-vl100 - 172.20.10.200

pool bz-pl - 172.20.10.60 ( Gwy - Router - 10.101.0.100)

Probelm-

When user access VIP - https://172.20.10.50 - he is NOT able to see pool member hostname in the browser

but

when user access DIP- https://172.20.10.60 - he is able to see the pool member hostname in the browser,

Could the issue be with <http-xforward> profile? Even though pool GWY is not F5, we ve used SNAT to force return traffic from pool member to go via F5 to the client. Still issue persists.

Any clues woiud be great?

thanks - gseek

basic

getting started

new to f5

18 Replies

nitass
Employee
Jan 07, 2013
When user access VIP - https://172.20.10.50 - he is NOT able to see pool member hostname in the browser
so, what does it show in the browser?

Could the issue be with profile?
i do not think so.

by the way, did you forget ssl profile when posting?
genseek_32178
Nimbostratus
Jan 07, 2013
it shows- page cannot be displayed.

no there is no SSL profile here.
nitass
Employee
Jan 07, 2013
it shows- page cannot be displayed. in that case, you need ssl profile. if pool is listening on port 80, only clientssl profile is required. if pool is also listening on port 443, both clientssl and serverssl profile are required.
genseek_32178
Nimbostratus
Jan 07, 2013
thank you nitass for the response.

Am curious as to why the return traffic from pool member (172.20.10.200 ) is NOT coming back via F5 even though we ve applied SNAT which should normally force reply traffic via F5 instead of going via router.

we thought - https://172.20.10.200 is working bcoz client is directly accessing the pool member and NOT via VS, and as the pool member has GWY as the router..so the client is seeing the source as the same IP which was the destination in the original request to the pool member.

Am quite curious how adding client or server ssl would force the return traffic via the F5 which SNAT is not able to do? And if ssl is applied, do we need to remove snat? Please elaborate on the traffic flow.
nitass
Employee
Jan 07, 2013
Am curious as to why the return traffic from pool member (172.20.10.200 ) is NOT coming back via F5 even though we ve applied SNAT which should normally force reply traffic via F5 instead of going via router. how do you know? does tcpdump show that?

Am quite curious how adding client or server ssl would force the return traffic via the F5 which SNAT is not able to do? And if ssl is applied, do we need to remove snat? Please elaborate on the traffic flow. ssl profile and snat are different things. ssl profile does nothing about snat and routing.
genseek_32178
Nimbostratus
Jan 08, 2013
yes, tcpdump shows there is no reply coming back to bigip.

Can you please tell the command to remove xforward profile from the Virtual server vl100-bz?

And what would be the single command to add a clientssl profile to the Virtual server vl100-bz?

Or is it that we need to delete the complete Virtual server and then reapply the Virtual minus the xforward profile or plus the clientssl profile.

nitass

Employee

Jan 08, 2013

e.g.

root@ve10(Active)(tmos) list ltm virtual vl100-bz
ltm virtual vl100-bz {
    destination 172.20.10.50:https
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        persist-profile {
            default yes
        }
    }
    pool bz-pl
    profiles {
        http-xforward { }
        tcp { }
    }
    snatpool bz-vl100
    vlans {
        vlan100
    }
    vlans-enabled
}

root@ve10(Active)(tmos) modify ltm virtual vl100-bz profiles delete { http-xforward } profiles add { clientssl }

root@ve10(Active)(tmos) list ltm virtual vl100-bz
ltm virtual vl100-bz {
    destination 172.20.10.50:https
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        persist-profile {
            default yes
        }
    }
    pool bz-pl
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    snatpool bz-vl100
    vlans {
        vlan100
    }
    vlans-enabled
}

genseek_32178
Nimbostratus
Jan 08, 2013
thanks nitass.

But we are using 10.2.1 ver and am not sure if it supports using the command and . Does it support? If not, could you specify the command related to ver 10.2.1

also when we login to LTM, we do not see the prompt as

root@ve10(Active)(tmos)

but see as

root@ve10(Active)

Will this command work in 10.2.1?

b virtual vl100-bz profiles delete { http-xforward }
What_Lies_Bene1
Cirrostratus
Jan 08, 2013
Just type 'tmsh' at the prompt to enter the same shell that Nitass was using. It is available with v10 and is far superior to using bigpipe commands. Alternatively you can prefix Nitass's commands with 'tmsh' and stay in the Advanced Shell but then you lose the advanced functions like autocomplete.

nitass

Employee

Jan 08, 2013

thanks Steve!

this is bigpipe command. i am running 10.2.4.

[root@ve10:Active] config  b virtual vl100-bz list
virtual vl100-bz {
   snatpool bz-vl100
   pool bz-pl
   destination 172.20.10.50:443
   ip protocol 6
   persist persist-profile
   profiles {
      http-xforward {}
      tcp {}
   }
   vlans vlan100 enable
}

[root@ve10:Active] config  b virtual vl100-bz profiles { clientssl tcp }

[root@ve10:Active] config  b virtual vl100-bz list
virtual vl100-bz {
   snatpool bz-vl100
   pool bz-pl
   destination 172.20.10.50:443
   ip protocol 6
   persist persist-profile
   profiles {
      clientssl {
         clientside
      }
      tcp {}
   }
   vlans vlan100 enable
}