Forum Discussion
NimbostratusVIP Listening on port 80 and pool members listening on different ports
Hi There, I have a situation that is as follows:
VIP: 10.10.20.11 listening on port 80 Pool members: 10.27.27.10 through 15 listening on TCP ports 50101, 50201, 50301, 50401 and 50501.
I need to: Redirect traffic hitting the VIP from http to https(no offloading on the LTM) and then forward the traffic to the above pool members that are listening on different ports. At present i am not able to get this working as the connection gets reset. Any help would be greatly appreciated.
Thanks
14 Replies
Hannes_RappHi Puneet,
Hope i've understood your situation correctly. Here's what I'd do:
1) Create additional VS listening on 443 port. Apply the system-default "_sys_https_redirect" iRule on VS listening on port 80.
In case you receive the connection reset error:
2) Ensure no HTTP profiles are attached to either VS (profile used must be TCP or FastL4)
3) Ensure the port translation is enabled (must-have as the VS and pool member ports are different)
4) No client or server-side SSL profiles are required as the SSL is handled in end-server.Hope this helps.
PeteWhiteEmployee
If you don't assign an HTTP profile to the port 80 VS then you won't get the HTTP_REQUEST event. As suggested, no need for HTTP for port 443 VS
Puneet_110030Hello Pete and Hannes, Thanks for your inputs. Pete you are correct you cannot attach an I-rule to the VIP unles you have a http profile associated with the VIP. That being said it still doesnt work. More details are as follows: VIP: 10.10.20.11 listening on port 443 Pool Members: 10.27.27.10:50101 10.27.27.11:50201 10.27.27.12:50301 10.27.27.13:50401 10.27.27.14:50501 No http profiles are attached and no ssl offloading is present as it will be taken care of on the pool members. When i try to access https://10.10.20.11 i get a "Page cannot be displayed." However when i try to access one of the pool members directly using https://10.27.27.10:50101/irj/portal it works just fine. I am sure i am missing something very critical here, dont know what. Thanks, Puneet- Hannes_RappPlease post your related configurations from the /config/bigip.conf (VS, pool, iRules if any... ) Also, try the following command towards the service: "curl -vI https://www.myservice.com"
Hannes_Rapp_162Nacreous
Hi Puneet,
Hope i've understood your situation correctly. Here's what I'd do:
1) Create additional VS listening on 443 port. Apply the system-default "_sys_https_redirect" iRule on VS listening on port 80.
In case you receive the connection reset error:
2) Ensure no HTTP profiles are attached to either VS (profile used must be TCP or FastL4)
3) Ensure the port translation is enabled (must-have as the VS and pool member ports are different)
4) No client or server-side SSL profiles are required as the SSL is handled in end-server.Hope this helps.
- PeteWhiteIf you don't assign an HTTP profile to the port 80 VS then you won't get the HTTP_REQUEST event. As suggested, no need for HTTP for port 443 VS
- Puneet_110030Hello Pete and Hannes, Thanks for your inputs. Pete you are correct you cannot attach an I-rule to the VIP unles you have a http profile associated with the VIP. That being said it still doesnt work. More details are as follows: VIP: 10.10.20.11 listening on port 443 Pool Members: 10.27.27.10:50101 10.27.27.11:50201 10.27.27.12:50301 10.27.27.13:50401 10.27.27.14:50501 No http profiles are attached and no ssl offloading is present as it will be taken care of on the pool members. When i try to access https://10.10.20.11 i get a "Page cannot be displayed." However when i try to access one of the pool members directly using https://10.27.27.10:50101/irj/portal it works just fine. I am sure i am missing something very critical here, dont know what. Thanks, Puneet
- Hannes_Rapp_162Please post your related configurations from the /config/bigip.conf (VS, pool, iRules if any... ) Also, try the following command towards the service: "curl -vI https://www.myservice.com"
Amit_KarnikPuneet,
-
Are you missing a serverssl profile ? Since the client connection is http, you need a serverside ssl connection to hit the pool member with https.
-
If that does not work I would check to make sure the reverse routing on the server are correct to send the traffic back to the SNAT ip on the LTM.
-
TechgeeegHi Puneet,
Good day as far as I have understood your query will you kindly confirm/do the following and I believe it should work.
- Create the VS on port 80.
- Keep the http profile to none.
- Enable snat automap.
- Keep the traffic sent to all VLANS.
- Check box the port and address translation.
- Select the pool you have created. with all the members along with their IP addresses.
Once done it should work. Just make sure from F5 box you are able to ping all the pool members.
Regards,
- mitchie_280710
Hello,
Could you please help me.
I created a site in f5, using port 80 and the server is up.. everything is green and ok. but when i try to access the internal site.. it's not coming up. I ping the site it says RTO
I perform this :
curl -vI smart-scheduler.insead.edu * Rebuilt URL to: smart-scheduler.insead.edu/ * Hostname was NOT found in DNS cache * Trying 10.31.32.24... * connect to 10.31.32.24 port 80 failed: Connection timed out * Failed to connect to smart-scheduler.insead.edu port 80: Connection timed out * Closing connection 0 curl: (7) Failed to connect to smart-scheduler.insead.edu port 80: Connection timed out michelle@mgt-1-fr7703-61:~$ ^C
But when i put the server ip in the URL, it is coming up. I saw the website.
What is the missing in f5 configuration?
The server is up when i ping it. but the site is not up.
please help.
- Techgeeeg_28888
Hi Puneet,
Good day as far as I have understood your query will you kindly confirm/do the following and I believe it should work.
- Create the VS on port 80.
- Keep the http profile to none.
- Enable snat automap.
- Keep the traffic sent to all VLANS.
- Check box the port and address translation.
- Select the pool you have created. with all the members along with their IP addresses.
Once done it should work. Just make sure from F5 box you are able to ping all the pool members.
Regards,
- mitchie_280710
Hello,
Could you please help me.
I created a site in f5, using port 80 and the server is up.. everything is green and ok. but when i try to access the internal site.. it's not coming up. I ping the site it says RTO
I perform this :
curl -vI smart-scheduler.insead.edu * Rebuilt URL to: smart-scheduler.insead.edu/ * Hostname was NOT found in DNS cache * Trying 10.31.32.24... * connect to 10.31.32.24 port 80 failed: Connection timed out * Failed to connect to smart-scheduler.insead.edu port 80: Connection timed out * Closing connection 0 curl: (7) Failed to connect to smart-scheduler.insead.edu port 80: Connection timed out michelle@mgt-1-fr7703-61:~$ ^C
But when i put the server ip in the URL, it is coming up. I saw the website.
What is the missing in f5 configuration?
The server is up when i ping it. but the site is not up.
please help.
tanu_sI have another situation where VIP is listening on port 443 and pool members are listening on ports 12001,12002. Would it work ?
