web service issue

i agree to open a support case if u r not familiar with packet capturing.

 

 

what u should provide them are...

 

 

1. tcpdump

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.dmp \(host x.x.x.x and port 81\) or \(host y.y.y.y or host z.z.z.z and port abc\)

 

 

x.x.x.x is virtual ip

 

y.y.y.y is pool member ip

 

z.z.z.z is another pool member ip (if had)

 

abc is port number which pool member is listening on

 

 

2. client ip

 

3. qkview

 

 

hth

Hi Robert,

 

Can you provide the running configuration of your box. This will help in analyzing the problem you are facing in a much better way.

 

 

Try one thing... in the client browser type http://x.x.x.x:81 and see if everything works fine or not....

 

 

Techgeeg

 

nathan, only one way traffic on the port 81. 0 connections!

 

 

Techgeeg, it works if I put the server's IP address but if I put the virtual server's IP address it doesn't work. Error is "unable to navigate to this URL" in Internet Explorer.

 

 

Below are 4 screenshots of my configuration if it helps...

 

http://dph.state.al.us/Big-IP_Robert/virtual_server_1.png

 

http://dph.state.al.us/Big-IP_Robert/virtual_server_2.png

 

http://dph.state.al.us/Big-IP_Robert/siis2_pool_1.png

 

http://dph.state.al.us/Big-IP_Robert/siis2_pool_2.png

 

 

HUGE PROGRESS!!!

 

I have the web service somewhat responding when it goes through Big-IP but now I may have a persistence issue. Here's how it works...

 

A user calls a web service and passes certain parameters and then one of three other web services is called and a PDF file is auto generated for the user. Could this be a persistence issue at this point? It wouldn't load any of the 3 web services but if I call the main web service and don't pass anything it tells me a username/password is required. What are your thoughts?

Robert

 

 

I notice from the screenshots that the health monitor for the pool is "tcp". This is only ensuring basic tcp connectivity to the pool member (the three way handshake mentioned previously). I would probably want to monitor both the port and protocol being used. So in this case I'd create a custom monitor based on the default http profile and call it http81, for example. If you then associate this with the pool it will give a better indication of the f5's connection to the pool members using http on port 81.

 

 

As for whether persistence is an issue. It doesn't look like you've got persistence set anyway, again from your screenshots. One example of persistence is that within a certain time period (configurable) a client IP will be sent to the same pool member as before.

 

 

As for the traffic being one way it does look like the f5 is attempting connection but not getting any response back. We know routing's working cos the tcp monitor is up (and you've got another VS with Port 80 working). Shot in the dark but is the VLAN setting the same on this VS as the port 80 one? Could you try changing the VLAN and Tunnel Traffic to All Vlans, rather than DMZ2_VS-SNAT?

 

 

Have you tried running curl on the f5? Could help. Cmd is:

 

 

curl -v http://pool_member_ip:81

 

 

N

 

 

Nathan, same DMZ as the port 80!

 

I can open a test web page under the web service THROUGH the Big-IP but the actual web service itself won't render. It renders when you call it via the server's IP address. This web service calls another web service that returns a PDF to the client. That's why I was thinking that I may need to add persistence. The port 80 traffic has persistence and it working great. I haven't ran curl since the "test.htm" page works going through the Big-IP.

Hi Robert,

 

I was having the similar type of environment in one of the implementation where the port was not 80 or 8080 but it was different similar is the case with you .... can you check the following and reply back..... http or https://x.x.x.x:81 where x.x.x.x is the VS IP and see if you get the desired reply through BIG-IP. Initially keep the SNAT to auto map and allow the traffic to all VLANs and check the response.

 

 

 

Faisal

No but I've narrowed the problem to the web service. It calls another web service on the same port and that's where the problem is. It calls this other web service using the fully qualified domain name (http://...)

RESOLVED!!!

That's fantastic, do you mind sharing what the resolution was for those interested or similarly affected? :)

 

 

Colin