Forum Discussion

Jeremy_18125's avatar
Jeremy_18125
Icon for Nimbostratus rankNimbostratus
May 30, 2016

F5 ASM AWS backend sending connection reset.

I deployed a couple of F5 WAF in AWS in HA, the backend fails to load on the browser (reset), tcpdump shows we can get to the virtual server, and the curl can reach the web server from the LTM.

 

The deployment contain these IP addresses setup:

 

————————————————————

 

[external subnet]

 

Self IP Address (priv)

 

external_floating (s.priv)

 

——————————————

 

[mgmt subnet]

 

Mgmt Interfaces:Private IP

 

EIP

 

——————————————————

 

[internal subnet]

 

SelfIP(Internal sync)

 

Internal Floating

 

—————————————————————

 

[virtual server]

 

EIP(Associate)

 

Virtual Server(s.priv)

 

Pool

 

—————————————————————————

 

The routing table & security group rules are all set and an Elastic IP has been associated with the secondary private address. Any ideas would be appreciated.

 

22 Replies

    • Jeremy_18125's avatar
      Jeremy_18125
      Icon for Nimbostratus rankNimbostratus
      Thanks, Source Address Translation is set to automap, and all monitors are green. Software version is 12.0 This looks puzzling, also the LTM log shows RST sent from virtual server IP to browser, [0x2019dac:3657] No route to host ------------------------------- tmsh show /net rst-cause --------------------------------- TCP/IP Reset Cause RST Cause: Count --------------------------------- Flow expired (sweeper) 202 HA disconnect 4 No local listener 465 No pool member available 14 No route to host 819 No server selected 39 TCP 3WHS rejected 34 TCP RST from remote system 4 ------------------------ No route to host & No pool member available could have something to do with the pool subnet being different to the internal subnet, maybe.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Hi, you need to identify precisely the cause. In general, i run a tailf /var/log/ltm in the same time of my test
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      When using curl command on the bigip, the source addr is the selfip, but connecting to the app through the vs force the source addr to the floating.
    • Jeremy_18125's avatar
      Jeremy_18125
      Icon for Nimbostratus rankNimbostratus
      Thanks, Source Address Translation is set to automap, and all monitors are green. Software version is 12.0 This looks puzzling, also the LTM log shows RST sent from virtual server IP to browser, [0x2019dac:3657] No route to host ------------------------------- tmsh show /net rst-cause --------------------------------- TCP/IP Reset Cause RST Cause: Count --------------------------------- Flow expired (sweeper) 202 HA disconnect 4 No local listener 465 No pool member available 14 No route to host 819 No server selected 39 TCP 3WHS rejected 34 TCP RST from remote system 4 ------------------------ No route to host & No pool member available could have something to do with the pool subnet being different to the internal subnet, maybe.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Hi, you need to identify precisely the cause. In general, i run a tailf /var/log/ltm in the same time of my test
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      When using curl command on the bigip, the source addr is the selfip, but connecting to the app through the vs force the source addr to the floating.
  • Hi Jeremy,

    Below an irule example I developed in 2014 to achieve the same feature as fqdn nodes :

    when HTTP_REQUEST {
     set host "www.myhostname.com"
     HTTP::collect
      resolv hostname
     NAME::lookup @x.x.x.x $host
    }
    when NAME_RESOLVED {
     set remoteip [lindex [NAME::response] 0]
     if { $remoteip != "" } {
      node $remoteip 80
     } else {
       log local0. "Hostname resolution failed !!!"
     }
     HTTP::release
    }
    when LB_FAILED {
      log local0. "Selected server [LB::server] did not respond."
    }
    
  • Aso's avatar
    Aso
    Icon for Nimbostratus rankNimbostratus

    This Thread basically saved me from days of headaches.

     

    I was going crazy over it, I had the same 2 VPC peering setup and 3-NIC F5 from https://clouddocs.f5.com/cloud/public/v1/aws/AWS_multiNIC.html.

     

    Adding this route wasn't mentioned anywhere and I couldn't get to it myself. Thank you guys from 5 years ago, hope you're doing well.