Hi Guys, I'm new to F5 and just trying to set a simple virtual server on custom port 20453. My_Pool with pool members X.X.X.X:20453 I have created a virtual server Y.Y.Y.Y:20453 which and with a default pool of My_Pool. When trying to access Y.Y.Y.Y:20543 externally (Internet) I'm not getting anywhere. Statistics on the F5 shows that the Virtual Server receives some data but I i check statistics for the pool there is not data being forwarded to the pool member. What am I missing here? I have only one server in the pool which is up (I have created custom monitor to check port 20543), load balancing method round robin, ratio, atc - I have tried couple of them and still the same.

is the bigip the default gateway for the pool members? if not in the VS configure Address Translation (SNAT). Select AUTOMAP and see if that works. N

A couple of things I'd look at: Firewall issues? You may see some data in statistics, but it may not be the traffic coming form an external client. Test with a tcpdump capture to makes sure you're actually seeing this traffic at the front door. tcpdump -lnni 0.0 port 20543 SNAT issues? If you see the traffic coming to the VIP, and you also see traffic going to the pool member, look at the source address in the data flowing to the pool member. Is the client's true source? If so, does the server have a route out that it will attempt without going back through the F5? Apply a simple SNAT Automap profile to the virtual server and see what that does. You should see the F5's self-IP address as the source address going to the pool member. Internal routing? Does the F5 have a route to the pool members? Can you ping them from the F5's management shell?

Hello guys, Thanks for you answers. The AutoMap is on as the F5 is not a default gateway for my servers. Routing is also fine as I can reach F5 from servers and servers from F5. I will use tcdump to see what is happening and let you know.

Ok I have done some more tests... So we have a server which is listening on port 20450 (Web browsers) 20453 (apple app). When I configure the virtual server with port 20450 and default pool with the server_ip:20450 it seems to be working externally. I just go my web browser and type server_ip:20450. It also works internally. When I configure the virtual server with port 20453 and default pool with the server_ip:2-453 it doesn't work externally using the app on iPad but it work internally using the same app. What is it I'm missing on F5 that it doesn't like the app to go thru it??

Ok I have figured it out. I was not working as the HTTP Profile was still selected to http. I have changed to to "None" and the app works but probably web browser won't. I would like to make it more secure to for example would like to use port 443... How would you guys do it if I can not select HTTP profile? So I was planning to create VS_MyServer on port 443 but the pool will have server_ip:20450. That should be auto forwarded to the pool member without creating special iRule but it wont work as the HTTP profile would have to be selected. Any ideas? Can I create custom SSL Client Profile for this? If yes how would you do it?

Requests are not being passed from Virtual Server to the pool member

12 Replies

nathe
Cirrocumulus
Jul 11, 2014
is the bigip the default gateway for the pool members? if not in the VS configure Address Translation (SNAT). Select AUTOMAP and see if that works.

N
Kevin_Stewart
Employee
Jul 11, 2014
A couple of things I'd look at:

Firewall issues? You may see some data in statistics, but it may not be the traffic coming form an external client. Test with a tcpdump capture to makes sure you're actually seeing this traffic at the front door.

tcpdump -lnni 0.0 port 20543

SNAT issues? If you see the traffic coming to the VIP, and you also see traffic going to the pool member, look at the source address in the data flowing to the pool member. Is the client's true source? If so, does the server have a route out that it will attempt without going back through the F5? Apply a simple SNAT Automap profile to the virtual server and see what that does. You should see the F5's self-IP address as the source address going to the pool member.

Internal routing? Does the F5 have a route to the pool members? Can you ping them from the F5's management shell?
Domel_163525
Nimbostratus
Jul 14, 2014
Hello guys,

Thanks for you answers.

The AutoMap is on as the F5 is not a default gateway for my servers.

Routing is also fine as I can reach F5 from servers and servers from F5.

I will use tcdump to see what is happening and let you know.
Domel_163525
Nimbostratus
Jul 14, 2014
Ok I have done some more tests...

So we have a server which is listening on port 20450 (Web browsers) 20453 (apple app).

When I configure the virtual server with port 20450 and default pool with the server_ip:20450 it seems to be working externally. I just go my web browser and type server_ip:20450. It also works internally.

When I configure the virtual server with port 20453 and default pool with the server_ip:2-453 it doesn't work externally using the app on iPad but it work internally using the same app.

What is it I'm missing on F5 that it doesn't like the app to go thru it??
Domel_163525
Nimbostratus
Jul 14, 2014
Ok I have figured it out.

I was not working as the HTTP Profile was still selected to http. I have changed to to "None" and the app works but probably web browser won't.

I would like to make it more secure to for example would like to use port 443...

How would you guys do it if I can not select HTTP profile?

So I was planning to create VS_MyServer on port 443 but the pool will have server_ip:20450.

That should be auto forwarded to the pool member without creating special iRule but it wont work as the HTTP profile would have to be selected.

Any ideas? Can I create custom SSL Client Profile for this?

If yes how would you do it?
- slesh_219299
  Cirrus
  Nov 30, 2016
  Hi guys i would like to renew this post due to my question . Can someone answer why VIP dont want to pass through traffic while http profile is set and there is no irules and certs ? . I know that u need those profile when u want to add cert or irules etc . But i cant find info which will answer my question in details.
  
  for example VIP with port 8500 and also pool members :8500 , automap is set .
- KeesvandenBos
  MVP
  Nov 30, 2016
  Is the traffic HTTP traffic or not? Can you test it without the HTTP profile?
  
  Cheers,
  
  Kees
- slesh_219299
  Cirrus
  Nov 30, 2016
  Sorry cant test it would involved lot of 3rd party guys to make it happend . Can we just ... pretend if traffic is or is not http ? how this should rly work ?
VijayAtos_37103
Nimbostratus
Aug 31, 2018
Hi Guys,

i have also same issue, I could see now connections are enabled and data is not received in application.

F5(Active)(/Common)(tmos)show sys connection | grep 10.23.222.166

Really display all connections? (y/n) y 10.21.151.125:58263 10.23.222.166:6601 10.23.219.2:58263 10.23.219.75:6601 tcp 32 (tmm: 0) none 10.21.151.125:58219 10.23.222.166:6601 10.23.219.2:58219 10.23.219.75:6601 tcp 15 (tmm: 0) none