Fail to access DVWA which is behind F5 LTM

Question

hi Team,&nbsp;Step 1.Tried to setup the DVWA docker accordingly to below link:https://github.com/ethicalhack3r/DVWAdocker run --rm -it -p 80:80 vulnerables/web-dvwa&nbsp;When access the DVWA from internet, it works and can access the login page.&nbsp;Step 2.Then adds that DVWA server as pool member in F5 LTM, it then failed to access when access via the Virtual Server ip address from internet.A few key items:the F5 setting should be correct, as once i change the pool member to a Nginx web server, it works instantly. Thus, the F5 configuration should be no problem. (SNAT auto-map is configured)if access the DVWA in the same network, it worksthe access.log of Apache shows below when behind the F5:			10.1.1.14 - - "GET /" 302 0 "-" "-"			Where the 10.1.1.14 is the VS IP address&nbsp;Any clue? i wonder it may needs to change some configuration on Apache or so. See if anyone encounter before? Thanks&nbsp;Br,&nbsp;Sam Fok&nbsp;&nbsp;

martin_šebek · Answer

How does it come that log file on Apache shows 10.1.1.14 as a client IP address along with it is configured as VS IP address with SNAT automap? The traffic should be SNATed behind floating IP address of the eggress VLAN.

I would recommend using tcpdump to check what is going on.

tcpdump --nni 0.0:nnnp host 10.1.1.14

samfok · Answer

Thanks Martin,&nbsp;It may due to the F5 LTM is deployed as Single Nic in the GCP, where:&nbsp;10.1.1.14: LTM IP (single nic)10.1.1.15: DVWA IPXX.XX.XX.XX: masked public ip from my computer &nbsp;Capture the said tcp dump as attached, and in the last few entries, &nbsp;------------------------------------------------10:25:00.492238 IP 10.1.1.14.43358 &gt; 10.1.1.15.80: Flags [F.], seq 10, ack 2, win 222, options [nop,nop,TS val 1013071 ecr 2516564255], length 0 in slot1/tmm0 lis= flowtype=66 flowid=5600019C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E remoteport=80 localport=43358 proto=6 vlan=4094&nbsp;10:25:00.492248 IP 10.1.1.14.43358 &gt; 10.1.1.15.80: Flags [F.], seq 1908046924, ack 2, win 222, options [nop,nop,TS val 2592968267 ecr 2516564255], length 0 out slot1/tmm0 lis= flowtype=130 flowid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFFF:0A01010F remoteport=43358 localport=80 proto=6 vlan=4094&nbsp;10:25:00.492398 IP 10.1.1.15.80 &gt; 10.1.1.14.43358: Flags [.], ack 1908046925, win 1018, options [nop,nop,TS val 2516564255 ecr 2592968267], length 0 in slot1/tmm0 lis= flowtype=130 flowid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFFF:0A01010F remoteport=43358 localport=80 proto=6 vlan=4094&nbsp;10:25:00.492407 IP 10.1.1.15.80 &gt; 10.1.1.14.43358: Flags [.], ack 11, win 1018, options [nop,nop,TS val 2516564255 ecr 1013071], length 0 out slot1/tmm0 lis= flowtype=66 flowid=5600019C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E remoteport=80 localport=43358 proto=6 vlan=4094------------------------------------------------&nbsp;it does see back and forth communication between the LTM and DVWA servers.Any comment? thx.&nbsp;Br,Sam Fok&nbsp;

martin_šebek · Answer

Check the status of the pool you are sending traffic to.  In tcpdump output there you can see resets with cause No pool member available.  So it looks like BIG-IP has marked all pool members as down and therefore the whole VS is unavailable.

richard_tocci · Answer

DVWA replies with a 302 by default. The monitor won't work in this case. If you turn on monitor logging on the pool member, you'll see a message something like this:
[0][13152] 2023-06-23 08:00:06.439883: ID 24 :(_do_ping): time to ping, now=[1687525206.439594][2023-06-23 08:00:06],status=DOWN [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1687525206.438613][2023-06-23 08:00:06] last_ping=[1687525201.468029][2023-06-23 08:00:01] deadline=[1687525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10609 rcv_cnt=0 ][0][13152] 2023-06-23 08:00:06.439973: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=none ][0][13152] 2023-06-23 08:00:06.439988: ID 24 :(_connect_to_service): creating new socket (rd0) [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 ][0][13152] 2023-06-23 08:00:06.440059: ID 24 :(_connect_to_service): connect: Operation now in progress [ tmm?=falsetd=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ][0][13152] 2023-06-23 08:00:06.440082: ID 24 :(_do_ping): post ping, status=DOWN [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=1 #conn=1 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[1687525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ][0][13152] 2023-06-23 08:00:06.440586: ID 24 :(_main_loop): Activity on pending service, now=[1687525206.440575][2023-06-23 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=1#conn=1 ][0][13152] 2023-06-23 08:00:06.440603: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ][0][13152] 2023-06-23 08:00:06.440620: ID 24 :(_send_active_service_ping): writing [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ] send=GET /\x0d\x0aHTTP/1.1\x0d\x0aHost: \x0d\x0aConnection: Close\x0d\x0a\x0d\x0a
[0][13152] 2023-06-23 08:00:06.440641: ID 24 :(_send_active_service_ping): sent ping [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[1687525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ][0][13152] 2023-06-23 08:00:06.442031: ID 24 :(_main_loop): Service ready for read, now=[1687525206.441995][2023-06-23 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=0 #conn=0 ][0][13152] 2023-06-23 08:00:06.442056: ID 24 :(_recv_active_service_ping): reading [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ][0][13152] 2023-06-23 08:00:06.442089: ID 24 :(_recv_active_service_ping): read failed [ tmm?=false td=true tr=falseaddr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ][0][13152] 2023-06-23 08:00:06.442130: ID 24 :(shutdown_service) Closing logging file /var/log/monitors/Common_http_dvwa-Common_10.1.20.17-80.logAdjust your monitor to look for the redirected URL:GET /login.php
HTTP/1.1
Host: 
Connection: Close

https://my.f5.com/manage/s/article/K3224

Forum Discussion

Fail to access DVWA which is behind F5 LTM

4 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Overview of API Access Control and implementing API key access control with BIG-IP APM

API Security: How to implement API Access Control with F5

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows