Forum Discussion
Yann_Desmarest
May 30, 2016Cirrus
Hi,
Did you set the snat setting to automap on the VS ?
You can log tcp reset reason in the ltm log file. Here is the link to askf5: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
The tmsh command to activate logging:
modify /sys db tm.rstcause.log value enable
- Jeremy_18125May 30, 2016NimbostratusThanks, Source Address Translation is set to automap, and all monitors are green. Software version is 12.0 This looks puzzling, also the LTM log shows RST sent from virtual server IP to browser, [0x2019dac:3657] No route to host ------------------------------- tmsh show /net rst-cause --------------------------------- TCP/IP Reset Cause RST Cause: Count --------------------------------- Flow expired (sweeper) 202 HA disconnect 4 No local listener 465 No pool member available 14 No route to host 819 No server selected 39 TCP 3WHS rejected 34 TCP RST from remote system 4 ------------------------ No route to host & No pool member available could have something to do with the pool subnet being different to the internal subnet, maybe.
- Yann_DesmarestMay 30, 2016CirrusHi, you need to identify precisely the cause. In general, i run a tailf /var/log/ltm in the same time of my test
- Yann_DesmarestMay 30, 2016CirrusWhen using curl command on the bigip, the source addr is the selfip, but connecting to the app through the vs force the source addr to the floating.
- Jeremy_18125Jun 01, 2016NimbostratusThanks Yann, when I moved the instance to the same VPC (pool and internal now have same subnet) it worked, however peering two VPC results in this failure even with opening up the security group.
- Jeremy_18125Jun 01, 2016NimbostratusIt's now working, by adding a default route in the WAF pointing to .1 of the public subnet (eth1) Routes (Network > Routes > New Route: Name Type a unique name Destination 0.0.0.0 Netmask 0.0.0.0 Resource Use Gateway Gateway Address Type the gateway address, which is .1 of the public subnet (eth1) you created in AWS, such as 10.0.0.1 You need to configure a default gateway if you are peering two AWS VPC Thanks Yann.
- Yann_DesmarestJun 01, 2016CirrusPerfect, thank you for your answer. Don't forget to remove the logging of TCP reset cause. It can be costly on AWS :(
- Jeremy_18125Jun 01, 2016NimbostratusThanks Yann, but not perfect yet, the second phase is to change the pool IP and place an AWS ELB behind the WAF. I configured the ELB identified by FQDN as the pool, hoping the WAF will identify each pool using DNS lookup. However the FQDN monitors health monitor is marked down for reasons unknown. Your thoughts?
- Yann_DesmarestJun 01, 2016CirrusWhat is the result If you try a curl command on the pool member from the cli of the BIGIP ? Can you post your health monitor ? what is the setting of the pool ?
- Jeremy_18125Jun 02, 2016NimbostratusCurl works from the F5 cli to backend. But according to F5 support, FQDN nodes for route domain is not supported in all version of F5. There is a request for enhancement that was created by Product Development to track this issue as ID 522465 and is is due to be fixed in the next major version due out in Winter 2016. Additional information: https://devcentral.f5.com/questions/fqdn-nodes-in-non-default-partitions Not happy ;(