For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sasi_81631's avatar
Sasi_81631
Icon for Nimbostratus rankNimbostratus
Feb 15, 2012

Virtual Server configuration

We own a 10.2.2 build installed on 1600 box(ltm licensed/provisioned) and facing an issue with configuring the

 

virtual-server's port in ltm.

 

Sample config is given below:

 

) list ltm virtual vip1

 

ltm virtual vip1 {

 

destination 172.10.13.45:13000

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool Linux

 

profiles {

 

http { }

 

tcp { }

 

}

 

snat automap

 

}

 

) list ltm pool Linux

 

ltm pool Linux {

 

members {

 

172.18.78.60:13080 {

 

session monitor-enabled

 

}

 

172.18.78.60:13081 {

 

session monitor-enabled

 

}

 

172.18.79.51:13083 {

 

session monitor-enabled

 

}

 

}

 

monitor gateway_icmp

 

}

 

And, self-ip, vlan everything is configured with default values of 10.2.2. And, pool members are pingable from bigip. Client

 

also reachable to vip1 and physical servers.

 

 

An SOAP server-application is running in these three servers(172.18.x.x) in the given ports. When I try accessing these

 

servers seperatly using our SOAP-client application its working fine. (Note: The SOAP application is developed by us).

 

However, when I configure a vip server(vip1) to load balance between these servers, it fail to respond and reply a service

 

error saying "Server not running"(an error message sent by our application).

 

Up to my understanding, we can use any port in vip, irrespective of the actual server-ports. And, there is no firewall

 

between bigip and actual-servers.

 

We use our own SOAP client to access the Server-application. Through browser, we use our WEB-INF file via apache server to

 

access.

 

Can anyone help in configuring the port range of 13000-130080, instead of actual ports. Since this is an urgent requirement,

 

can someone suggest what is wrong here.

 

 

 

config
design

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 15, 2012
    Do you have a virtual server defined on port 13081? Or is it matching a wildcard port virtual server? If the VS is defined on port 13000 your requests on port 13081 shouldn't be using this VS.

    To handle a range of 80 ports, you can change the virtual server to listen on port 0 (any port) and then use an iRule to block all other ports. Do you want to have LTM perform destination port translation? Or do you want LTM to just pass through the port of 13000 to the pool member on 13000 and 13001 to the pool member on 13001? If the former, what's the logic for doing the port translation?

    Here's an example of the iRule to only allow connections through on ports 13000 - 13080: 

    
when CLIENT_ACCEPTED {
if {[TCP::local_port] >= 13000 and [TCP::local_port] <= 13080}{
 Do nothing and allow the connection through to the pool
} else {
 Reset the connection
reject
}
}

    Aaron