Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Hello,

I've a Direct Access test lab with a weird problem that I'm unable to resolve.

During setup I've configured a VIP for IPHTTPS as per F5 & UAG guide. (http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf)

The VIP type that I used is Perfomance (Layer 4) as mentioned in the guide.
However, when clients from the internet tries to establish an IPHTTPS tunnel to one of my DA servers it fails with the following error:

Interface Status: failed to connect to the IPHTTPS server. Waiting to reconnect

But:

If I change the type of the VIP from Performance (Layer 4) to Performance (HTTP), then clients connections starts working just fine.
It does take too long until a connection is established but eventually it works.


I was wondering how can I make it work when VIP is configured with Performance (Layer 4)?

Thanks in advance,
JrMaster

3 Answer(s):

My guess is that your servers are not sending reply traffic back through the BIG-IP. One of the features of the Performance HTTP profile is to automatically translate the source address of the connection from the client's real address to an address owned by the BIG-IP (in BIG-IP parlance, this behavior is called "SNAT"). You can achieve the same behavior with a Performance L4 profile by manually enabling SNAT on the virtual server.

Here's a link to the portion of the BIG-IP configuration guide that covers SNATs:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_snat.html

Hope this helps!
Thanks Erick! I will give it a shot and let you know how it went.

I was wondering though if using SNATs is a requirement? it is not mentioned anywhere in the guide...

Thx,
JrM
Worked like a charm! Thanks!!!

Your answer:

You must be logged in to reply. You can login here.