Forum Discussion

abdel_387674's avatar
abdel_387674
Icon for Nimbostratus rankNimbostratus
Apr 03, 2019

From Server, Contact the Web Site hosted on this same Server by the public IP of VS

Hello,

 

Sorry for my english.

 

I m trying to contact the web site hosted on ServerA that is present in the private network, by its own VS (Public IP) .

 

Example: The Web Site hosted on ServerA is accessible from internet by a VIP on our LineController.

 

I m trying to contact this Web Site (with public IP resolution ) on ServerA from Server A without add entry in host file. But doesn't work

 

All internet trafic from the serveur are routed by the line Controller until internet.

 

Could you explain me why I cannot contact its own Public VIP from the server itself?

 

Thanks for your answers.

 

4 Replies

  • Hi Abdel,

    First of it's depending to your dns resolution.

    So from your internal network check the following point:

    • dns resolution of your entry:

    nslookup ServerA
    you should resolve with external IP (that's means that you have to set this entry in your internal DNS).

    • If the dns resolution work fine, check flow/routing/fw.

    • you can also check your proxy pac, maybe you have an exception for internal domain and you try to reach it directly without passing by outside...

    Regards,

  • Hi abdel,

    this is most likely a asymetric routing issue, which is by design if you don't have any Source NATs in place.

    Request: 
    
    ServerA -> (SRC_IP=A -> DST_IP=X) -> F5 -> (SRC_IP=A -> DST_IP=A) -> ServerA 
    
    Response: 
    
    ServerA -> (SRC_IP=A -> DST_IP=A) -> ServerA
    

    Since ServerA has never created a connection to itself, the connection will simply break.

    The solution would be to enable SNAT globally on the Virtual Server or via an iRule if the SRC_IP is matching certain subnets (those which would otherwise experience asymetric routing issues).

    Cheers, Kai

  • The result of my tcpdump on the LC

     

    Server Private IP is 10.90.0.1 Virtual Server IP 213.0.0.1

     

    16:42:07.527950 IP (tos 0x0, ttl 63, id 7912, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3c81 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479708694 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis= 16:42:08.526658 IP (tos 0x0, ttl 63, id 7913, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3b87 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479708944 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:10.530118 IP (tos 0x0, ttl 63, id 7914, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x3992 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479709445 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:14.541970 IP (tos 0x0, ttl 63, id 7915, offset 0, flags [DF], proto TCP (6), length 60) 10.90.0.1.52729 > 213.0.0.1.http: Flags [S], cksum 0x35a7 (correct), seq 1831942910, win 29200, options [mss 1460,sackOK,TS val 3479710448 ecr 0,nop,wscale 7], length 0 in slot1/tmm0 lis=/Common/VSTEST 16:42:19.527582 IP (tos 0x0, ttl 255, id 50747, offset 0, flags [DF], proto TCP (6), length 40) 213.0.0.1.http > 10.90.0.1.52729: Flags [R.], cksum 0x2f91 (incorrect -> 0x09e0), seq 0, ack 1831942911, win 0, length 0 out slot1/tmm0 lis=/Common/VSTEST