Forum Discussion

mrshaggy_169440's avatar
mrshaggy_169440
Icon for Nimbostratus rankNimbostratus
Jan 14, 2016

APM No Back-end Request/Response on Web Application Trace

Hi all,

 

We have APM on our system that we used to publish some application using VPN access. We plan to add another portal access list. So we add one more portal access list and add this new portal access on the Access Policy.

 

This new portal access was sucessfully added into user window after login on browser. But we got a problem, because every time user access this new portal access menu after login, the web browser show an error response. So we try to do web application trace, as mention on SOL13384 https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13384.html. After we do application trace on F5, we found that there is a front-end request/response between client and F5, but there is no back-end request/response between F5 and server.

 

F5 can do ping into the application server, and also can do telnet or curl. So basically F5 can communicate with the server, but I don't know why there is no Back-end request/response when I do web application trace on F5 for checking the connection.

 

Anyone ever face a problem like this? Or any idea how to do further checking why user can't access this new portal access list and there is no Back-end request/response when we do web application trace?

 

Thanks before for your help..

 

Ahmad

 

4 Replies

  • it seems that the BIGIP cannot reach the backend. Is it a HA pair? Have you enabled SNAT Automap (or pool) on the VS where the Access Policy is applied? what does a tcpdump on the bigip with "host " as filter shows?

     

  • If we I do a tcpdump during user access test using VPN, it show a lot of TCP SYN retransmission. It seem like the SYN packet from F5 was not received by server, or the SYN-ACK packet from server was not receive by F5, so F5 keep sending the SYN packet. But as I mention previously, if I do curl from F5 into server, F5 get the proper response from server. So it means that basically F5 can reach the server, but I don't know why F5 can't access the server during user VPN session that makes F5 keep sending SYN packet to server..

     

  • Is there any different on the request when we access an application from VPN using webtop, or from VPN using user-agent, or when we do curl or telnet from F5 to server? Because if we are using VPN client installed on PC or phone, we can access the application. But if we access it using VPN from webtop, we can't access the application.

     

  • Hi,

     

    The problem is already solve. We miss to check port translation on VS configuration, so F5 connection into server was using HTTPS port when accessing HTTP server.

     

    Thanks :)