Forum Discussion

almudena_3796's avatar
almudena_3796
Icon for Nimbostratus rankNimbostratus
Oct 08, 2013

F5 LTM VE 10.2.3: ip forward virtualserver

Hi all, I've got the following virtualservers:

 

virtual vs_ERIF_1521 { translate address disable translate service disable ip forward destination 172.16.176.33:ncube-lm ip protocol tcp profiles profile_oracle {} vlans external enable } virtual vs_ERIF_1521_server { translate address disable translate service disable ip forward snat automap destination 172.16.176.33:ncube-lm ip protocol tcp profiles profile_oracle {} vlans internal enable }

 

the 172.16.176.33 IP belongs to a database. the application system gets "connection refused" when trying to access database. the application system's default gateway is the F5. I would like to see if the F5 sends the "connection refused response, and I think an irule can help me, but I do not to develop it. Can you help me, please? thx in advance

 

application delivery
devops
iRules

6 Replies

Sort By
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Oct 08, 2013

    Just run a tcpdump on the F5 to see which side is initiating the RST packet, though it is almost certainly going to be your DB server:

     

    tcpdump -nni 0.0 host 172.16.176.33

     

    Connection refused likely means either the DB server isn't listening on 1521, or isn't allowing connections from your F5. This behavior would be indicated by the F5 sending a SYN packet, and the DB server responding with an immediate RST. You can post the output of the tcpdump here if you want the community to take a look.

     

  • almudena_3796's avatar
    almudena_3796
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2013

    Thanks a lot for your quick answer, and sorry for my delay. Tomorrow, a network guy will have a look at the tcpdump. Anyway, is there an irule to assign to an ip forward virtualserver, so that I could see the client IP of each request that receives this ip forward virtualserver. Thx a lot.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Oct 09, 2013

    Yes, this is a simple one:

    rule TCP_logging {
 when CLIENT_ACCEPTED {
  set remote [IP::remote_addr]:[TCP::remote_port]
  set vip [IP::local_addr]:[TCP::local_port]
  log "Rule TCP_logging fired, from $remote to vip $vip"
 }
}
  • almudena_3796's avatar
    almudena_3796
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2013

    Hi again, I am going to accept your offer, and I would like to send you the tcpdump files, but I do not know how. Can you help me, please? Thanks, Almu

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Oct 10, 2013
      Easiest way is probably to take a screenshot of the tcpdump or just paste the text output here. Just ensure the capture only includes the relevant traffic.