cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Unable to connect to virtual server with curl -v xx.xx.xx.xx:8443 or 443

Anup_Km
Nimbostratus
Nimbostratus

Hi,

I have created one Virtual Server in LTM Big IP F5 BIG-IP 14.1.0.2 Build 0.0.4 Point Release2

Port number I used while creating is 443 https service. Also Pool Members are from different subnets that Virtual Server; hence no SNAP auto map is used.

I get output when i run same command for Pool member IP with Service port 8443; as at server end 8443 port is assigned. However when I am running command with 8443 and 443 but it does not produce any output. It gives me error of Conenction refuse. Below GIven is Logs of Output

logs:

* Rebuilt URL to:
* Trying xx.xx.xx.xx...
* connect to xx.xx.xx.xx port 443 failed: Connection refused
* Failed to connect to xx.xx.xx.xx port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to xx.xx.xx.xx port 443: Connection refused

6 REPLIES 6

Hello , Please do more investigation as it could be many things as the web server not allowing the traffic and so on. Also the pool member being different subnet than the VIP or even the F5 device not having a direct subnet to the pool member does not affect SNAT as the F5 self IP is used for the server connection. Maybe you need to read:

https://support.f5.com/csp/article/K7336

 

https://support.f5.com/csp/article/K99422936

 

For HTTP/SSL issues check:

https://community.f5.com/t5/technical-forum/knowledge-sharing-troubleshooting-investigating-ssl-and-...

Anup_Km
Nimbostratus
Nimbostratus

I did some additonal Check that Virtual IP is reachable from Server. and I am also able to run curl command for Server IP it gives me Handshake results. 

One strange thing; When i telnet Virtual IP from inside F5 CLI it does not allow me inside. Howerver when I try to telnet Server Pool IP I get to prompt. It is very different behaviour as virtual IP is only present on F5 device itselft.

Still I am not able to telnet it with port 8443 or 443 whichever I configure.

Again the F5 uses a self ip to talk to the server not the VIP address that is for the client. Please see what I provided and maybe check:

 

https://support.f5.com/csp/article/K17333

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-...

No. I am not taking to telnet F5 Virtual Interface from Putty or any management Server.

I have already taken CLI inside working LB thorugh its management IP.

 I tested telneting another virtual Server configured in same LB with Virtual IP with command

telnet xx.xx.xx.xx 443 ........................ it works

However for this perticular Virtual Server when I do same with telnet xx.xx.xx. 8443 or 443 it does not work.

Mentioned Articles I went through; It is not relevent for this issue.

As SSL Certificate is not terminated on F5 for Server I am having issue with on LTM.

Management routes and Management IP are totally different from Virtual IP instance.

Routing will not take any part in performing telnet to same IP which is only virtaul instance in BIG IP F5. Other working Virtual Server IP are allowing me to telnet inside (atleast i am getting prompt) from inside CLI login of Selft BIG IP F5. With this perticular Virtual Server IP there is issue; Even Pool memebers which are configured with 8443 Port allowed to be telnet when performed from CLI prompt of BIG IP F5; only self IP does not give telnet enable with port 8443 or 443; there must be some configuration issue with this Virtual Server; but I tested all configuration.

Including SNAT: Client Profile; Server Profile; VLAN setting; all are as per working Virtual server only; but when I run Curl command or telnet session of Virtual server IP it gives connection refused; that means port 8443 or 443 is not allowing to set up telnet connection.

I would 100% perform a packet capture on F5 and check both client-side and server-side flows to see where does the drop come from. 

If F5 actively rejects the configuration, there might be some misconfiguration. are you running HTTP profile on an HTTPS virtual server without SSL certs by any chance? this would be a problem beause F5 tries to retrieve standard http headers but only sees encrypted data.