For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

m1978_295079's avatar
m1978_295079
Icon for Nimbostratus rankNimbostratus
Jun 13, 2017

Why I am able to Telnet to VIP when pool members are down ??

Why I am able to telnet to a VIP (port 443) when all pool members actually down, VS showing down as well. Could someone please explain in brief.  
BIG-IP
devops
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jun 13, 2017

Hi,

Main issue with testing VS (one with HTTP profile assigned) via telnet is how Standard VS handles new connection:

  • 3WHS is always performed
  • VS is waiting for first HTTP request from client before selecting member and performing 3WHS on server side.

Now, if you are sending any data using telnet (like pressing any key when telnet session is open) VS will be sending ACK but not doing anything else (except resetting I Idle timeout on created client side flow).

If you will handle telnet session close gracefully (ctrl=] then quit) VS will even perform proper 4WC (FIN-ACK exchange).

So everything looks OK considering telnet, but proofs nothing.

Even worse, when using 

show ltm profile tcp
it will report connection as Open and Accepted.

What will happen depends as well on Verified Accept enabled - you will get immediate RST (not recommended for HTTP type VSs).

As already mentioned a lot depends on VS config, for example Standard VS without HTTP profile immediately respond with RST, when checking 

show net rst-cause
it will be reported as No pool member available.

So conclusion is that only way to test is to send at least one HTTP request after 3WHS and better use tools like curl for testing.

Piotr