We have vertical kubernetes cluster and put F5 (GTM/LTM) in front of the cluster. Service to service call will be go to GTM/LTM before go to micro service (workload/pod):
service A -> GTM/LTM -> service B
We have problem that the call from service A cannot reach service B (Failed to connect). How to debug/log from GTM/LTM side ( the network team cannot see the data package because it's encrypted )?
If anyone can give advice will be appreciated.
So lets break this down, from this flow
service A -> GTM/LTM -> service B
can you confirm you have GTM setup with a suitable FQDN ? So we are checking DNS.
So from service A, can you nslookup the FQDN you want to get to and get the IP address you are expecting which is hopefully your LTM VS VIP?
Lastly before we dig deeper, if you get a good IP back, can you ping that ip?
Also check you service A server's dns config - is it pointing to the correct place?
@kismiss In addition to what @PSFletchTheTek has asked. Can you verify that the communication between service A and service B has to pass through the GTM/LTM in order to communicate between those two services? If the F5 is not in path between those two services you will have to configure SNAT on the virtual server in question from service A to service B because that could be what is causing the issue. When configuring SNAT I recommend using a snatpool that uses the IP of the virtual server that service A is attempting to connect to rather than AutoMap.
@kismissIn addition to @Paulius verification request, and if I understand correctly you will need to configure the virtual server on the LTM module to make the destination NAT to allow service A to reach service B,
and if you can share the topology design that will be useful in understanding the issue, as I think you use the F5 LTM/GTM modules to work as link controller functions
Sorry, I need to clarify that this connection problem happened intermittently. Connection from service A to service B actually has already established and many of them has connected successfully. However, there are some failed connection founded in the service log which is what I meant in the previous question. Therefore, I want to ask how to log/trace from F5.
@kismiss which type of virtual server that you configure to make service A reach to service B ,
and you can use this command to check the connection between A and B
tcpdump -envi 0.0:nnnp -s0 host < ip of service a or ip of service B >
or you can run this command to tack the packet capture file
tcpdump -envi 0.0:nnnp -s0 -w /var/tmp/filename.pcap host < ip of service a or IP of service B > and thin use Winscp program to connect on LTM and check the capture file
you can also try making f5 behaving like a web browser by using cURL command (See URL )
curl -kv https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP>
The cURL help is your friend
Some of the more common options are:
-v for verbosity -k to ignore certificate issues -d to issue a POST with POST payload data curl -vk https://www.example.com/foo -d 'user=admin&password=admin' -X to explicitly define the request method curl -vkX POST https://www.example.com/foo/bar -d 'user=admin&password=admin'
The -v option is going to your best tool for troubleshooting monitors. You'll of course want to perform captures to see what the monitor is actually sending and receiving, and curl -v will allow you to simulate these requests.