For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JotaCePena_1783's avatar
JotaCePena_1783
Icon for Nimbostratus rankNimbostratus
Oct 22, 2015

Virtual server doesn't works.

This is the config:

 

VIP: 11.240.64.30:3753

 

Self IP: 11.240.67.101

 

POOL:

 

node1: 11.240.67.38:3753 node2: 11.240.67.39::3753 Algorithm is round robin. Is automap configured. I'm using the monitor TCP_Half_Open and this monitor, marks server available. When I try to connect to VS, the statistics of pool show no connections to servers

 

Please could anyone help me about this issue? JotaCe.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
management
microsoft
security

9 Replies

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 22, 2015
    You may have to give a little more config info. Also, try doing a tcpdump on your server VLAN to see if a handshake is being initiated but not completed. tcpdump -ni host 11.240.67.38 and port 3753
  • JotaCePena_1783's avatar
    JotaCePena_1783
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015
    Additional info: Both vlans: virtual server Vlan and servers vlan are in the same physical interface in trunk mode (tagged mode). tcpdump result: cpena@(F2000S-SBD1-00A-CORE-C1U1)(cfg-sync In Sync)(Active)(/Common)(tmos) tcpdump -ni /Common/external_db_67 -c 50 host 11.240.67.38 and port 3753 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on /Common/external_db_67, link-type EN10MB (Ethernet), capture size 96 bytes 09:21:54.994844 IP 11.240.67.101.34715 > 11.240.67.38.nattyserver: S 2214683657:2214683657(0) win 14600 09:21:54.995068 IP 11.240.67.38.nattyserver > 11.240.67.101.34715: S 3868166173:3868166173(0) ack 2214683658 win 8192 09:21:54.995214 IP 11.240.67.101.34715 > 11.240.67.38.nattyserver: . ack 1 win 115 09:21:54.995298 IP 11.240.67.101.34715 > 11.240.67.38.nattyserver: F 1:1(0) ack 1 win 115 09:21:54.995436 IP 11.240.67.38.nattyserver > 11.240.67.101.34715: R 1:1(0) ack 2 win 0 09:21:59.900387 IP 11.240.67.101.43366 > 11.240.67.38.nattyserver: S 1557140346:1557140346(0) win 14600 09:21:59.900641 IP 11.240.67.38.nattyserver > 11.240.67.101.43366: S 1096300115:1096300115(0) ack 1557140347 win 8192 09:21:59.900731 IP 11.240.67.101.43366 > 11.240.67.38.nattyserver: . ack 1 win 115 09:21:59.900814 IP 11.240.67.101.43366 > 11.240.67.38.nattyserver: F 1:1(0) ack 1 win 115 09:21:59.900952 IP 11.240.67.38.nattyserver > 11.240.67.101.43366: R 1:1(0) ack 2 win 0 09:22:04.906414 IP 11.240.67.101.de-server > 11.240.67.38.nattyserver: S 4221153083:4221153083(0) win 14600 09:22:04.906681 IP 11.240.67.38.nattyserver > 11.240.67.101.de-server: S 4107155638:4107155638(0) ack 4221153084 win 8192 09:22:04.906827 IP 11.240.67.101.de-server > 11.240.67.38.nattyserver: . ack 1 win 115 09:22:04.906919 IP 11.240.67.101.de-server > 11.240.67.38.nattyserver: F 1:1(0) ack 1 win 115 09:22:04.907065 IP 11.240.67.38.nattyserver > 11.240.67.101.de-server: R 1:1(0) ack 2 win 0 09:22:09.911745 IP 11.240.67.101.34831 > 11.240.67.38.nattyserver: S 143087439:143087439(0) win 14600 09:22:09.911969 IP 11.240.67.38.nattyserver > 11.240.67.101.34831: S 3510124486:3510124486(0) ack 143087440 win 8192 09:22:09.912113 IP 11.240.67.101.34831 > 11.240.67.38.nattyserver: . ack 1 win 115 09:22:09.912199 IP 11.240.67.101.34831 > 11.240.67.38.nattyserver: F 1:1(0) ack 1 win 115
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 22, 2015

    I think something's missing. Do you have two VLANs and two self-IPs? Are you just showing the internal (server side) self-IP? Otherwise the self-IP and VIP are in different subnets.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 22, 2015

    Ah, that makes more sense now. ;)

     

    So have you tested connectivity? Can you ping the VIP from the client and can you ping the server from the BIG-IP?

     

  • Rik's avatar
    Rik
    Icon for Employee rankEmployee
    Oct 23, 2015

    According to your tcpdump: This is the monitor traffic, you may remove the monitor and capture both client side and server side packets again.

     

  • Amanpreet_Singh's avatar
    Amanpreet_Singh
    Icon for Cirrostratus rankCirrostratus
    Oct 23, 2015

    Are you able to simulate the connection from LB itself. Just login to ssh of ltm and try to telnet 11.240.64.30 on port 3753. See it makes any difference in current connection count. you can also check the session table entry in another ssh window to see if lb has selected the appropriate member, that is, server side connection.

     

    • JotaCePena_1783's avatar
      JotaCePena_1783
      Icon for Nimbostratus rankNimbostratus
      Oct 23, 2015
      I simulated the connection from LB itself but there are not any difference in current connection count. In session table I saw current connection like this: jcpena@(F2000S-SBD1-00A-CORE-C1U1)(cfg-sync In Sync)(Active)(/Common)(tmos) show /sys connection ss-server-addr 11.240.67.38 Sys::Connections 7.240.71.15:60552 11.240.64.30:3753 11.240.67.103:3093 11.240.67.38:3753 tcp 169 (tmm: 0) none
    • JotaCePena_1783's avatar
      JotaCePena_1783
      Icon for Nimbostratus rankNimbostratus
      Oct 25, 2015
      When I run this command, the server backend replies with right answer: "Server Online". [jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ curl http://11.240.67.38:3753 Server Online[jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ [jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ curl http://11.240.67.39:3753 Server Online[jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ [jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ I think the issue is in the client side, may be I need a custom profile different of http profile? Any idea?