Client request not hitting the VIP.

Question

Hello Team,&nbsp;
The client is initiating a request on HTTP/HTTPs and needs to access contents from the backend server on port 5432.&nbsp;
Line layout :&nbsp;
Client---HTTP---&gt;VIP(VS listening on port 80)---Auto-map-&gt;-----&gt;Nodes (Port 5432)&nbsp;
I have configured the VS listening on port 80 and nodes on port 5432. Port translation is enabled.&nbsp;
Importantly, the client is able to ping the VIP IP. &nbsp;
As soon as I disable the VS, client's access to HTTP stops (i.e connection refused). On enabling it, HTTP access is through but I don’t see any traffic statistics on BIG-IP.  This surely confirms, traffic is hitting BIG-IP, however, traffic statistics contradict this fact.&nbsp;
Can you advise further troubleshooting on this scenario?&nbsp;
Thanks,&nbsp;
Dayesh&nbsp;

pushkar_misra_2 · Accepted Answer

If you could post your configs, that would help.
Please see if you are using SNAT or two arm deployment?
If using SNAT, make sure the SNAT IP can reach the backend servers.
If not using SNAT, snat exception, make sure to check the servers are configured with F5 as gateway.&nbsp;
Check the routes F5 is taking to servers.
ip route get serverip &nbsp;
issue telnet from F5 
telnet serverip port&nbsp;
I you run capture with -s0 option it would capture the backend traffic and you can see if the TCP handshake is completing or not.&nbsp;

philip_jonsson · Answer

Hey Dayesh
I'm afraid ping is not a sufficient tool to test this. You could have a global policy that allows ping but blocks HTTP to that particular VS. That way you can ping the VS but you will not be able to access the VS or generate statistics. 
The best way to actually make sure routing and firewall policies are correct, run telnet to the VS and define the port 80. For instance:
telnet [VS IP] 80
If it's not successful, then you'll know that there is something is not allowing the traffic to the VS. If it's successful you will know that traffic reaches the VS and it should generate statistics. In this case there is something on the BIG-IP that prohibits the traffic.
Also, you can perform a tcpdump on the BIG-IP while doing it and see the traffic hitting the VS in real time. Just log on to SSH of the BIG-IP and run the following command:
tcpdump -i 0.0 host [VS IP]
I hope this helps!
Let us know how it goes. 🙂

youssef1 · Answer

Hi,
Can you try to reach the backend from CLI:
curl -i http://1.1.1.1:5432/uri -H "Host: myapp.domain.com"
Where:
1.1.1.1 will be your backend IPmyapp.domain.com will be hostname using to reach your appand uri will be the uri of your app.
It will allow you to check if you receive anything body/header.
keep me update.
regards,

dayesh_263997 · Answer

Hi Pushkar,&nbsp;
Traffic group was configured to select adjacent LTM as the active device.
I can see the traffic hitting that LTM now with accurate statistics.&nbsp;
Things are working fine now as expected.
Thanks for your response.&nbsp;
Regards,&nbsp;
Dayesh&nbsp;

Forum Discussion

Client request not hitting the VIP.

4 Replies

Recent Discussions

Deploying F5 WAF in front of Azure Web App Services

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

Related Content

Lockbit resurface after takeover & Lazarus are hitting Feb 25th – March 2nd - This Week in Security

Implementing Client Subnet DNS Requests

Implementing Client Subnet in DNS Requests

Request client cert auth based on URL

Per Request access policy with OAuth Client Subroutine