Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Fail to access DVWA which is behind F5 LTM

SamFok
Altostratus
Altostratus

‎20-Apr-2020 09:41

hi Team,

 

Step 1.

Tried to setup the DVWA docker accordingly to below link:

https://github.com/ethicalhack3r/DVWA

docker run --rm -it -p 80:80 vulnerables/web-dvwa

 

When access the DVWA from internet, it works and can access the login page.

 

Step 2.

Then adds that DVWA server as pool member in F5 LTM, it then failed to access when access via the Virtual Server ip address from internet.

A few key items:

  1. the F5 setting should be correct, as once i change the pool member to a Nginx web server, it works instantly. Thus, the F5 configuration should be no problem. (SNAT auto-map is configured)
  2. if access the DVWA in the same network, it works
  3. the access.log of Apache shows below when behind the F5:

10.1.1.14 - - "GET /" 302 0 "-" "-"

Where the 10.1.1.14 is the VS IP address

 

Any clue? i wonder it may needs to change some configuration on Apache or so. See if anyone encounter before? Thanks

 

Br,

 

Sam Fok

 

 

Labels:
4 REPLIES 4

Martin_Šebek
Altostratus
Altostratus

‎20-Apr-2020 12:24 - last edited on ‎04-Jun-2023 21:30 by Fog

How does it come that log file on Apache shows 10.1.1.14 as a client IP address along with it is configured as VS IP address with SNAT automap? The traffic should be SNATed behind floating IP address of the eggress VLAN.

I would recommend using tcpdump to check what is going on.

tcpdump --nni 0.0:nnnp host 10.1.1.14
0 Kudos

SamFok
Altostratus
Altostratus

‎20-Apr-2020 19:39

Thanks Martin,

 

It may due to the F5 LTM is deployed as Single Nic in the GCP, where:

 

10.1.1.14: LTM IP (single nic)

10.1.1.15: DVWA IP

XX.XX.XX.XX: masked public ip from my computer

 

Capture the said tcp dump as attached, and in the last few entries,

 

------------------------------------------------

10:25:00.492238 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 10, ack 2, win 222, options [nop,nop,TS val 1013071 ecr 2516564255], length 0 in slot1/tmm0 lis= flowtype=66 flowid=5

600019C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E r

emoteport=80 localport=43358 proto=6 vlan=4094

 

10:25:00.492248 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 1908046924, ack 2, win 222, options [nop,nop,TS val 2592968267 ecr 2516564255], length 0 out slot1/tmm0 lis= flowtype

=130 flowid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFF

F:0A01010F remoteport=43358 localport=80 proto=6 vlan=4094

 

10:25:00.492398 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 1908046925, win 1018, options [nop,nop,TS val 2516564255 ecr 2592968267], length 0 in slot1/tmm0 lis= flowtype=130 flo

wid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFFF:0A0101

0F remoteport=43358 localport=80 proto=6 vlan=4094

 

10:25:00.492407 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 11, win 1018, options [nop,nop,TS val 2516564255 ecr 1013071], length 0 out slot1/tmm0 lis= flowtype=66 flowid=5600019

C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E remotep

ort=80 localport=43358 proto=6 vlan=4094

------------------------------------------------

 

it does see back and forth communication between the LTM and DVWA servers.

Any comment? thx.

 

Br,

Sam Fok

 

0 Kudos

Martin_Šebek
Altostratus
Altostratus

‎21-Apr-2020 00:23

Check the status of the pool you are sending traffic to. In tcpdump output there you can see resets with cause No pool member available. So it looks like BIG-IP has marked all pool members as down and therefore the whole VS is unavailable.

0 Kudos

Richard_Tocci
F5 Employee
F5 Employee

‎23-Jun-2023 06:52

DVWA replies with a 302 by default. The monitor won't work in this case. If you turn on monitor logging on the pool member, you'll see a message something like this:

[0][13152] 2023-06-23 08:00:06.439883: ID 24 :(_do_ping): time to ping, now=[1687525206.439594][2023-06-23 08:00:06],
status=DOWN [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=-1 pend=0 #conn=0 up_intvl
=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1687525206.438613][2023-06-23 08:00:06] last_ping=[168752520
1.468029][2023-06-23 08:00:01] deadline=[1687525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10609 rcv_
cnt=0 ]
[0][13152] 2023-06-23 08:00:06.439973: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=none ]
[0][13152] 2023-06-23 08:00:06.439988: ID 24 :(_connect_to_service): creating new socket (rd0) [ tmm?=false td=true t
r=false addr=::ffff:10.1.20.17:80 ]
[0][13152] 2023-06-23 08:00:06.440059: ID 24 :(_connect_to_service): connect: Operation now in progress [ tmm?=false
td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.440082: ID 24 :(_do_ping): post ping, status=DOWN [ tmm?=false td=true tr=false addr=:
:ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=1 #conn=1 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0
next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[16875252
11.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ]
[0][13152] 2023-06-23 08:00:06.440586: ID 24 :(_main_loop): Activity on pending service, now=[1687525206.440575][2023
-06-23 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=1
#conn=1 ]
[0][13152] 2023-06-23 08:00:06.440603: ID 24 :(_send_active_service_ping): pinging [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.440620: ID 24 :(_send_active_service_ping): writing [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ] send=GET /\x0d\x0aHTTP/1.1\x0d\x0aHost: \x0d\x0aConnection: C
lose\x0d\x0a\x0d\x0a

[0][13152] 2023-06-23 08:00:06.440641: ID 24 :(_send_active_service_ping): sent ping [ tmm?=false td=true tr=false ad
dr=::ffff:10.1.20.17:80 mon=/Common/http_dvwa fd=16 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 imme
d=0 next_ping=[1687525211.438613][2023-06-23 08:00:11] last_ping=[1687525206.439594][2023-06-23 08:00:06] deadline=[1687
525211.141953][2023-06-23 08:00:11] on_service_list=True snd_cnt=10610 rcv_cnt=0 ]
[0][13152] 2023-06-23 08:00:06.442031: ID 24 :(_main_loop): Service ready for read, now=[1687525206.441995][2023-06-2
3 08:00:06] [ tmm?=false td=true tr=false addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 fd=16 pend=0 #con
n=0 ]
[0][13152] 2023-06-23 08:00:06.442056: ID 24 :(_recv_active_service_ping): reading [ tmm?=false td=true tr=false addr
=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.442089: ID 24 :(_recv_active_service_ping): read failed [ tmm?=false td=true tr=false
addr=::ffff:10.1.20.17:80 srcaddr=::ffff:10.1.20.231%0:46744 ]
[0][13152] 2023-06-23 08:00:06.442130: ID 24 :(shutdown_service) Closing logging file /var/log/monitors/Common_http_d
vwa-Common_10.1.20.17-80.log

Adjust your monitor to look for the redirected URL:
GET /login.php\r\nHTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n

https://my.f5.com/manage/s/article/K3224

0 Kudos
Copyright © 2023 Khoros, LLC