Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Unable to telnet VS IP from PC on the same network.

Hi,

We have configured standard VS with IP of 10.2.5.69:80 with pool of 10.2.40.121 (service is 80). Pool and VS status is enabled/UP but when we try to telnet the VS IP from test PC (10.2.5.50) which is on the same network of VS, telnet is failing.

Other isolation made: 1. Telnet VS IP from F5 cli. Result: telnet is successful 2. Telnet from F5 to backend server using port 80. Result: telnet is successful

Why telnet from the same network of VS IP is failing? From tcpdumps, VS IP is sending RST.

Image Text

VS config below:

ltm virtual /Common/VS_FuelCareer {
    destination /Common/10.2.5.69:80
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/FuelCareer
    profiles {
        /Common/Fuel_Career {
            context clientside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual-address /Common/10.2.5.69 {
    address 10.2.5.69
    arp enabled
    icmp-echo enabled
    mask 255.255.255.255
    traffic-group /Common/traffic-group-local-only
}

Thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, Seems like there are some Access Policies that is restricting Telnet to complete in your case. Checkout 'F5RST: Policy Action' in your packet capture screenshot.

0
Comments on this Answer
Comment made 06-Jun-2017 by iamcejiro 56

Test PC and VS IP are on the same network (like a back-to-back connection). No policy between the two.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

check couple of things

1)make sure u r self ip 's are not duplicated , verify the ARP from the switch for all IP & Mac address

2) any inline device between client & F5 also verify client pc subnet mask & gateway is this part of same vlan or separate vlan (10.2.5.0/24)

3) did u Applied the standard http profile

4) is the VS status into green wht about pool health check is it green

0
Comments on this Answer
Comment made 06-Jun-2017 by iamcejiro 56

1)make sure u r self ip 's are not duplicated , verify the ARP from the switch for all IP & Mac address. Answer: Will check this on our next visit.

2) any inline device between client & F5 also verify client pc subnet mask & gateway is this part of same vlan or separate vlan (10.2.5.0/24). Answer: No inline device between client & F5. Client PC and VS IP are on the same vlan 10.2.5.0/28

3) did u Applied the standard http profile Answer: Yes.

4) is the VS status into green wht about pool health check is it green Answer: VS and pool status is green

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Try to reset rst-cause stats - tmsh reset-stats net rst-cause.

The run watch -n 1 tmsh show net rst-cause

Then try to connect and see which counter was increased - based on that it will be easier to find out why F5 is resetting connection.

For sure ARP is working for you as SYN is delivered to F5 and there is RST reply from F5.

I am suspecting that:

profiles { /Common/Fuel_Career { context clientside }

means that you have clientssl profile attached to VS, or I am wrong here? If so when you try to telnet, connection will be rejected as well but after 3WHS.

Seems like some Packet Filter or AFM rule is responsible.

If first then in rst-cause you will see increase in Packet filter (reject) counter.

This is likely because connection initiated from F5 cli is not rejected by Packet Filter.

Piotr

0
Comments on this Answer
Comment made 06-Jun-2017 by iamcejiro 56

Already tried to remove the profile (sslclient) but got same results. Will try to run mentioned command and check.

Thank you.

0