Forum Discussion

parvez_70211's avatar
parvez_70211
Icon for Nimbostratus rankNimbostratus
Jan 14, 2015

unable to telnet to the VIP but ping work

Hi,

 

I have an issue where we a VIP configured to listen on port 443. VIP status is up. We are able to ping the VIP but telnet to port 443 isnt working. Did a packet capture and found syn packet flowing into the LTM but see no syn-ack response going out. Port-lockdown has been set to allow all and its a standard VIP.

 

ltm virtual /Common/cloudv1.test_443 { destination /Common/10.10.10.5%1:443 ip-protocol tcp mask 255.255.255.255 pool /Common/test_pool profiles { /Common/uat_ssl { context clientside } /Common/tcp { } } source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }

 

Also I tried telnet the self ip on the LTM for port 443 but it isnt responding either.

 

[root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.5 443 Trying 10.10.10.5... ^C [root@LTMnew:Active:Standalone] config rdexec 1 telnet 10.10.10.2 443 Trying 10.10.10.5... telnet: connect to address 10.10.10.5: Connection refused [root@LTMnew:Active:Standalone] config

 

Product: BIG-IP Version: 11.5.1 Build: 5.0.147 Sequence: 11.5.1.5.0.147.0 BaseBuild: 0.0.110 Edition: Hotfix HF5 Date: Wed Oct 1 12:10:21 PDT 2014 Built: 141001121021

 

Do you think I missed some setting on the LTM?

 

  • packet filter disabled. AFM not installed Auto Last hop enabled globally and default setting at the VIP level.

     

  • We have ASM installed but the license has been expired. Could this be an issue?

     

  • Thanks. The VS isn't associated with ASM in any way based on the config output you posted so I doubt it but worth double-checking.

     

    No http profile assigned I see, is that by design?

     

    I assume routing is configured such that the F5 routes back to wherever your testing from, via the same interface?

     

    FYI, the Port Lockdown setting has no bearing where Virtual Servers are concerned.

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Are you able to run tcpdump and see where this syn-ack might be? I also agree with WLB - you might want to double the routing side of things too
  • Nathan/WLB, Thanks for your response.

     

    I don't think there is an issue with the routing here because I'm trying to telnet to the VIP from the same load balancer and the port does not open.

     

    Also when I tried telnet VIP from outside machine with TCPdump enabled on the LB shows only SYN packets coming in and seeing no SYN-ACK or any packets leaving out of the interface.

     

    I had one more query VIP is listening on port 443 and pool members on 80 and translation is enabled. I found Client SSL cert to be missing.I know this is an issue but telnet to VIP on port 443 from the same LTM should show open. correct? NOTE: VIP status is available. No issues with interface.

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      Whatever the SSL configuration, you should still see the 3 way handshake first, before SSL/TLS negotiation can start.
  • Hey guys,

     

    Did you get any resolution on this problem? Recently I am having similar problem, from Client machine, I can see packets coming to VS, tcpdump shows LTM VS not responding to SYN.

     

    I can ping VS from Client machine. Only difference to above and my issue is I am able to telnet on port 80 from LTM itself.

     

  • Same issue here. Telnet to VIP IP/port returns "Connection refused", telnet to pool member IP/port works. Ping to VIP works.

    No AFM, no ASM, no packet filters, auto last hop default

    Other VIPs work fine

     

  • Hi All, This same issue encountered by me anyone found solution for this?