cancel
Showing results for 
Search instead for 
Did you mean: 

unable to telnet to the VIP but ping work

parvez_70211
Nimbostratus
Nimbostratus

Hi,

 

I have an issue where we a VIP configured to listen on port 443. VIP status is up. We are able to ping the VIP but telnet to port 443 isnt working. Did a packet capture and found syn packet flowing into the LTM but see no syn-ack response going out. Port-lockdown has been set to allow all and its a standard VIP.

 

ltm virtual /Common/cloudv1.test_443 { destination /Common/10.10.10.5%1:443 ip-protocol tcp mask 255.255.255.255 pool /Common/test_pool profiles { /Common/uat_ssl { context clientside } /Common/tcp { } } source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }

 

Also I tried telnet the self ip on the LTM for port 443 but it isnt responding either.

 

[root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.5 443 Trying 10.10.10.5... ^C [root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.2 443 Trying 10.10.10.5... telnet: connect to address 10.10.10.5: Connection refused [root@LTMnew:Active:Standalone] config

 

Product: BIG-IP Version: 11.5.1 Build: 5.0.147 Sequence: 11.5.1.5.0.147.0 BaseBuild: 0.0.110 Edition: Hotfix HF5 Date: Wed Oct 1 12:10:21 PDT 2014 Built: 141001121021

 

Do you think I missed some setting on the LTM?

 

10 REPLIES 10

What_Lies_Bene1
Cirrostratus
Cirrostratus
Any packet filters in play? AFM installed? Auto Last Hope disabled?

parvez_70211
Nimbostratus
Nimbostratus

packet filter disabled. AFM not installed Auto Last hop enabled globally and default setting at the VIP level.

 

parvez_70211
Nimbostratus
Nimbostratus

We have ASM installed but the license has been expired. Could this be an issue?

 

What_Lies_Bene1
Cirrostratus
Cirrostratus

Thanks. The VS isn't associated with ASM in any way based on the config output you posted so I doubt it but worth double-checking.

 

No http profile assigned I see, is that by design?

 

I assume routing is configured such that the F5 routes back to wherever your testing from, via the same interface?

 

FYI, the Port Lockdown setting has no bearing where Virtual Servers are concerned.

 

nathe
Cirrocumulus
Cirrocumulus
Are you able to run tcpdump and see where this syn-ack might be? I also agree with WLB - you might want to double the routing side of things too

parvez_70211
Nimbostratus
Nimbostratus

Nathan/WLB, Thanks for your response.

 

I don't think there is an issue with the routing here because I'm trying to telnet to the VIP from the same load balancer and the port does not open.

 

Also when I tried telnet VIP from outside machine with TCPdump enabled on the LB shows only SYN packets coming in and seeing no SYN-ACK or any packets leaving out of the interface.

 

I had one more query VIP is listening on port 443 and pool members on 80 and translation is enabled. I found Client SSL cert to be missing.I know this is an issue but telnet to VIP on port 443 from the same LTM should show open. correct? NOTE: VIP status is available. No issues with interface.

 

Whatever the SSL configuration, you should still see the 3 way handshake first, before SSL/TLS negotiation can start.

Tushar_129950
Nimbostratus
Nimbostratus

Hey guys,

 

Did you get any resolution on this problem? Recently I am having similar problem, from Client machine, I can see packets coming to VS, tcpdump shows LTM VS not responding to SYN.

 

I can ping VS from Client machine. Only difference to above and my issue is I am able to telnet on port 80 from LTM itself.

 

mkratochvil
Cirrus
Cirrus

Same issue here. Telnet to VIP IP/port returns "Connection refused", telnet to pool member IP/port works. Ping to VIP works.

No AFM, no ASM, no packet filters, auto last hop default

Other VIPs work fine

 

Anup_Km
Nimbostratus
Nimbostratus

Hi All, This same issue encountered by me anyone found solution for this?