How to troubleshoot the issues related to Virtual Server in F5 LTM

Self IP Address

--> Check the packets are hitting the self IP address of F5 Load Balancer.

--> Check Portlock down settings on the self IP address.

--> By using Port Lockdown we can control what types of connections will be allowed to the self IP based on protocol and port.



Connection Table

--> Check the packet from the source has been arrived in connection table or not.

--> Connection table stores all the connections going via F5 LTM.

--> Server Side and Client Side connections are stored.

--> Every Connection in connection table uses the resources on F5 LTM.

--> Inactive connections can be removed by setting connection timeout which saves resources on F5 LTM.

--> If you want to check connection table on F5 LTM using CLI command: tmsh show sys connection.

Packet Filter

--> If the packet is present in the connection table then check whether any packet filter rule is configured on the interface.

--> Packet filter improves the network security which tells BIG IP LTM interface to accept or drop the
connection.

--> Packet Filter can drop or allow the connection on interface based upon,

i) Source IP Address

ii) Destination IP Address

iii) Destination Port




Virtual Server 

--> Check whether the virtual server is configured or not for the given destination ip address and port number.

--> If more than one virtual server is configured on F5 LTM then check virtual server precedence.


--> The order of Virtual Server Precedence as follows,

i) IP: Port

ii) IP: Any

iii) Network: Port

iv) Network: Any

v) Any: Port

vi) Any: Any

--> Check my following post on virtual server precedence: http://networkingmaterials.blogspot.com/2017/10/what-is-virtual-server-precedence.html

--> Check Pool status associated with F5 Virtual Server.

--> By default BIG IP LTM work as default deny device if no virtual servers or listeners are configured then F5 LTM is going to drop traffic.



SNAT

--> Check SNAT or NAT are working properly if they configured.

--> SNAT or NAT is used to resolve asymmetric routing issues with F5 LTM.

--> Check my following post on SNAT and NAT:

http://networkingmaterials.blogspot.com/2018/09/where-to-use-snat-in-f5-ltm.html

http://networkingmaterials.blogspot.com/2018/09/what-is-diffrerence-between-nat-and.html

Connectivity with Backend Servers

 --> We can use multiple tools to find out the connectivity issues between the backend servers with F5 LTM.

--> If there is any PC on the server network then you can check the connectivity between PC and the server which you are facing the issue.

--> If it is responding then try to ping the server from F5 LTM.

--> If there is IP Connectivity we can use CURL command on F5 LTM to see whether F5 LTM can connect to the website on the server or FTP on the server for the traffic.

--> You can also use Wireshark or logs to find out the issue.

Md.Kareemoddin

CCIE # 54759

Ref: F5.com

0 Comments