cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Client PC cannot reach Virtual Server

Cjay
Altostratus
Altostratus

My LAB topology: Web servers --> F5 --> Router --> External client

 

External client is unable to reach virtual server via a browser. I'm able to ping virtual server IP from external client pc. Basic connectivity between F5 to web servers works. That is ping & curl of each web servers's IP and http address respectively.

 

F5 can reach the default gateway of the external client. The external client can reach the virtual server's IP which is in the same subnet as the F5 external interface IP to the router. 192.168.1.0/24

 

Why am I not able to reach the virtual server from the external client via a browser? PCAP shows virtual server sends a RST after external client sends an HTTP GET message.

 

4 REPLIES 4

Cjay
Altostratus
Altostratus

Please can someone help?

 ,

 

Check if you are able to telnet Virtual Server on specified port from external client browser?

Also check statistics under Virtual Server and Pool and see if you are seeing hits. If you are seeing hits, then check VS settings like SNAT and http profile.

 

Mayur

Heino
Cirrus
Cirrus

One way to get this scenario is when you have a vip with an irule that contains an error. The editor is great these days, but sometimes you can still sneak something in that makes no sense. Same goes for various profiles/policies you can add to the vip.

 

As the virtual server sends a rst I guess that TCP is okay, but it would be nice with a confirmation. If your external client is a win10; Test-Networkconnection is a nice powershell tool. FYI powershell still seems to rely on TLS1.1, TLS1.2 has to be manually enabled.

 

Try removing everything from your vip. Back to basics so to speak. If you do not have a webserver you can send the raw traffic to, then add a (basic, no custom) http profile and an irule that responds with a "Hello World".

when HTTP_REQUEST { HTTP::respond 503 content "Hello World, we're testing functionality" } }

 

If you can see this from the client, then you can begin to add more of the original functionality in steps. I recommend working from the bottom up. first the custom tcp profile, then the http profile. Try to see where it breaks.

 

Oh, and a kind reminder to kill the browser between tests.

 

Cjay
Altostratus
Altostratus

Thank you  and  for your answers. I figured out the issue and it was because I used the BIG-IP's IP as the default gateway for my web servers. I am studying for the 101 & 102 so my lab setup was a step by step process based on the video tutorial I am following. It was when I got to the part that talked about floating IP, then I realized I could use a floating IP as the default gateway of my web servers and that worked for me.

 

Your suggestions are also great to be used for other scenarios if I encounter them. Thank you both, I will appreciate your help.