F5 reverse proxy setup giving connection reset error.

Question

hi,
i am new to F5 and trying to setup tings.
i have configured reverse proxy setup for an application on F5. 
application is running on a backend server on port 7080. 
i have created 2 virtual servers http and https. has created an ssl profile and using that in the https Virtual server. trying ssl offloading as well.&nbsp;
Backend server is running the IIS application on port 7080. i have created the pool with node listening on port 7080. &nbsp;
Is there any body that can help me in fixing the problem. 
i followed this article to setup https://social.technet.microsoft.com/wiki/contents/articles/22687.configure-f5-big-ip-as-reverse-proxy-for-lync-server-2013-office-webapp.aspx&nbsp;
i have only one node. 
 F5 server is able to ping the backend server. but i don,t see any traffic going from f5 server to backend server when i try the URL. backend server is running in local nett have opened all the required ports in the firewall.&nbsp;

martijn_van_de1 · Answer

Hi,&nbsp;
Many possible causes for this problem.&nbsp;
You have a HTTP and a HTTPS virtual server. Is there a HTTPS redirect iRule configured on the HTTP virtual server?&nbsp;
Is SNAT configured on the virtual server? A ping from the F5 uses the self IP of the F5 node as the source. If SNAT is configured, this SNAT address is used for connections to the backend server.&nbsp;
You say you cannot see traffic from the F5. How did you check this? With a tcpdump on your F5 node? Or do you check the logging of the internal firewall?&nbsp;
When you use the URL, do you see the correct virtual server being hit?&nbsp;
I would use tcpdump to check if you see traffic coming in on the correct virtual server on the inbound interface and do the same on the outbound interface.&nbsp;
Regards,
Martijn.&nbsp;

kashif_shahzad · Answer

here is the config:
ltm virtual app-http {
    address-status yes
    app-service none
    auth none
    auto-lasthop default
    bwc-policy none
    clone-pools none
    cmp-enabled yes
    connection-limit 0
    description "app reverse proxy"
    destination 195.x.x.x:http
    enabled
    fallback-persistence none
    flow-eviction-policy none
    gtm-score 0
    ip-protocol tcp
    last-hop-pool none
    mask 255.255.255.255
    metadata none
    mirror disabled
    mobile-app-tunnel disabled
    nat64 disabled
    partition Common
    per-flow-request-access-policy none
    persist none
    policies none
    pool Pool-app
    profiles {
        http {
            context all
        }
        tcp {
            context all
        }
    }
    rate-class none
    rate-limit disabled
    rate-limit-dst-mask 0
    rate-limit-mode object
    rate-limit-src-mask 0
    related-rules none
    rules {
        HTTPS-REDIRECT
    }
    security-log-profiles none
    service-down-immediate-action none
    service-policy none
    source 0.0.0.0/0
    source-address-translation {
        pool none
        type automap
    }
    source-port preserve
    syn-cookie-status not-activated
    traffic-classes none
    translate-address enabled
    translate-port enabled
    transparent-nexthop none
    urldb-feed-policy none
    vlans none
    vlans-disabled
    vs-index 9
}
ltm virtual app-https {
    address-status yes
    app-service none
    auth none
    auto-lasthop default
    bwc-policy none
    clone-pools none
    cmp-enabled yes
    connection-limit 0
    description "app reverse proxy"
    destination 195.x.x.x:https
    enabled
    fallback-persistence none
    flow-eviction-policy none
    gtm-score 0
    ip-protocol tcp
    last-hop-pool none
    mask 255.255.255.255
    metadata none
    mirror disabled
    mobile-app-tunnel disabled
    nat64 disabled
    partition Common
    per-flow-request-access-policy none
    persist none
    policies none
    pool Pool-app
    profiles {
        SSL-app {
            context clientside
        }
        http {
            context all
        }
        tcp {
            context all
        }
    }
    rate-class none
    rate-limit disabled
    rate-limit-dst-mask 0
    rate-limit-mode object
    rate-limit-src-mask 0
    related-rules none
    rules {
        app
    }
    security-log-profiles none
    service-down-immediate-action none
    service-policy none
    source 0.0.0.0/0
    source-address-translation {
        pool none
        type automap
    }
     source-port preserve
    syn-cookie-status not-activated
    traffic-classes none
    translate-address enabled
    translate-port enabled
    transparent-nexthop none
    urldb-feed-policy none
    vlans none
    vlans-disabled
    vs-index 10
}
Pool Set Up
ltm pool Pool-app {
    allow-nat yes
    allow-snat yes
    app-service none
    autoscale-group-id none
    description none
    gateway-failsafe-device none
    ignore-persisted-weight disabled
    ip-tos-to-client pass-through
    ip-tos-to-server pass-through
    link-qos-to-client pass-through
    link-qos-to-server pass-through
    load-balancing-mode round-robin
    members {
        app-node:http {
            address 10.1.2.82
            app-service none
            connection-limit 0
            description none
            dynamic-ratio 1
            ephemeral false
            inherit-profile enabled
            logging disabled
            monitor default
            priority-group 0
            rate-limit disabled
            ratio 1
            session user-disabled
            state up
            fqdn {
                autopopulate disabled
                name none
            }
            metadata none
            profiles none
        }
        app-node:empowerid {
            address 10.1.2.82
            app-service none
            connection-limit 0
            description none
            dynamic-ratio 1
            ephemeral false
            inherit-profile enabled
            logging disabled
            monitor default
            priority-group 0
        rate-limit disabled
        ratio 1
        session monitor-enabled
        state up
        fqdn {
            autopopulate disabled
            name none
        }
        metadata none
        profiles none
    }
}

martijn_van_de1 · Answer

Is your VS enabled on the correct VLAN?&nbsp;

kashif_shahzad · Answer

thats a good question. I don,t know about that yet, we have VS,s are defined in DMZ IP ranges and this backend server is defined in Local subnett. &nbsp;

martijn_van_de1 · Answer

Hi,&nbsp;
That's the first thing you need to check. Check 'VLANs and Tunnels' in the virtual server configuration and see if the VS is enabled on the DMZ VLAN.&nbsp;
If that is OK, use tcpdump to see if traffic is hitting this VS.&nbsp;
Do the statistics of the virtual server increase when you access the URL?&nbsp;
Martijn.&nbsp;

Forum Discussion

F5 reverse proxy setup giving connection reset error.

5 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

F5 Reverse Proxy setup

F5 Connection Mirroring question

DevCentral Connects hosts Capture the Flag!

Troubleshooting Lync/Skype for Business Reverse Proxy

Rebalancing connections