[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[AWIPS #XUN-289916]: server behind F5 appliance
- Subject: [AWIPS #XUN-289916]: server behind F5 appliance
- Date: Tue, 30 Mar 2021 18:02:28 -0600
Hi,
> I'm not an expert at this stuff so forgive me if I am not explaining things
> clearly.
>
> Our IT department decided that all servers that can be reached from off
> campus must
> be put behind an F5 Big-IP Local Traffic Manager. Not my idea, but this
> includes
> our EDEX server.
>
> Port 388 is open to off campus through the F5 and my EDEX server is
> successfully
> feeding from our upstream, but my downstream sites are not able to connect.
> Being
> behind the F5 the EDEX server uses a non-public IP, and when our downstream
> sites
> try to connect using the public IP address of our EDEX server, the F5 routes
> the
> data to the private IP.
Are you saying that downstream LDM-s are trying to connect to an LDM running on
the same host as your EDEX server? Are they trying to connect to an LDM running
*within* the EDEX system?
> As far as my EDEX server is concerned though, ALL traffic
> for port 388 is coming from the F5's internal IP and not the public IP's of
> the
> downstream sites.
This is possible. The F5 could be acting like a man-in-the-middle: rewriting
the "source" and "destination" fields in the IP packets as necessary.
I would ask you to verify this, however, as there are other possibilities --
and definitive facts aid a proper diagnosis.
> Even after putting an ALLOW in the ldm.conf file for the F5's
> IP, my downstream sites are not connecting. I don't see any errors in my
> ldmd.log
> files, but here is a snippet from one of my downstream sites:
>
> 20210330T182935.025595Z x.x.x<http:/x.x.x>[9117] NOTE
> requester6.c:311:make_request() Upstream LDM-6 on x.x.x<http://x.x.x> is
> willing to be a primary feeder
A downstream LDM logs this message only if it establishes a valid connection
with your LDM. So some downstream LDM processes succeeded.
> 20210330T182935.026405Z x.x.x<http://x.x.x>[9111] ERROR error.c:236:err_log()
> Request not allowed. Does it overlap with another?; Request denied by
> upstream LDM: 20210330181702.847950 TS_ENDT {{WMO, ".*"}}
> 20210330T182935.026861Z x.x.x<http://x.x.x>[9113] NOTE
> requester6.c:311:make_request() Upstream LDM-6 on x.x.x<http://x.x.x> is
> willing to be a primary feeder
> 20210330T182935.027552Z x.x.x<http://x.x.x>[9119] NOTE
> requester6.c:311:make_request() Upstream LDM-6 on x.x.x<http://x.x.x> is
> willing to be a primary feeder
> 20210330T182935.028170Z x.x.x<http://x.x.x>[9115] ERROR error.c:236:err_log()
> Request not allowed. Does it overlap with another?; Request denied by
> upstream LDM: 20210330181702.845624 TS_ENDT {{UNIWISC, ".*"}}
> 20210330T182935.028612Z x.x.x<http://x.x.x>[9121] NOTE
> requester6.c:311:make_request() Upstream LDM-6 on x.x.x<http://x.x.x> is
> willing to be a primary feeder
>
> Is this because all traffic to my EDEX is coming through the same IP on the
> F5?
Could be. By default, the LDM enables an anti-denial-of-service mechanism that
disconnects a downstream LDM if the same host makes the same request again. If
your LDM sees all requests as coming from the F5 and you have multiple
downstream hosts requesting the same data, then ... it won't work.
This feature can be disabled by editing the LDM registry, "etc/registry.xml",
and setting the parameter "/server/enable-anti-DOS" to "FALSE". Try that and
then restart your LDM.
Regards,
Steve Emmerson
Ticket Details
===================
Ticket ID: XUN-289916
Department: Support LDM
Priority: Normal
Status: Closed
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata
inquiry tracking system and then made publicly available through the web. If
you do not want to have your interactions made available in this way, you must
let us know in each email you send to us.
