LTM Troubleshooting Labs

Lab 1 -- Basic Troubleshooting

In this lab we will perform basic troubleshooting of an HTTP virtual server. Your LTM
device has been pre-configured with a Virtual Server named ‘Lab_1_VS’ and a pool
named ‘Lab_1_Pool’ and a problem with the configuration has been introduced.

The expected traffic flow for this lab is:

Request:
Client Request -> Lab_1_VS -> Lab_1_Pool -> Pool Member

Response:
Pool Member -> LTM Self IP -> Client

Some known facts about the topology:

• The Virtual Server is configured to only perform Layer 4 load balancing

• The pool members are configured with an HTTP server running on TCP/80
• The default gateway of the pool members is not an LTM self IP
• The pool members are running the Linux operating system
• There is a firewall in the traffic path between the LTM and pool members

The goal of this lab is for the student to attempt a connection to the virtual server and
troubleshoot the issue that occurs. A guide is included below to provide a rough process
to finding and fixing the problem.

1. What is the status of the LTM object related to this traffic flow?
a. Are all objects showing ‘Available’?
b. Are any ‘Unknown’ statuses explained?
2. Is the full bi-directional traffic flow understood? Is the configuration of the
device consistent with this flow?
a. Make a flow diagram with expected IPs included
3. What type of issue is occurring? What protocol layer is producing the error?
a. Enable RST logging and ‘tail –f /var/log/ltm’. What do you see?
4. What does the connection table show?
a. TMSH: “show /sys conn ?”
5. Perform a network capture
a. What interface should you capture on?
b. What are you looking for?
c. Remember, the traffic flow should be represented in the capture. Are all
the expected flows present?

  1  
Lab 2 – SSL Troubleshooting
In this lab we will perform a capture on the Lab_2_VS virtual server. This virtual server
is configured as a port 443 service offloading SSL traffic and sends request to
Lab_2_Pool (configured identically to Lab_1_Pool).

1. Open the Virtual Server in a web browser. Accept any certificate errors that are
presented until the diagnostic page is shown
2. Start a tcpdump and write the packets to a file in the /var/tmp directory
3. While holding down ‘Shift’ refresh the page in the browser twice
4. Stop the tcpdump
5. Use the ssldump utility to decrypt the capture
6. Examine the output from ssldump
a. Can you see the different phases of the SSL handshake?
b. Did the ssldump decrypt the data properly?
7. Export the capture file from your device and open it in WireShark. Examine the
data that WireShark present and identify the SSL handshake components.

Lab 3 – Troubleshooting with an iRule

In this lab you will use the HTTP Debugging iRule to capture data on the Lab_3_VS
virtual server.

1. Attach the ‘http_debug’ iRule to the Lab_3_VS virtual server.

2. Open an SSH session to the LTM device and monitor the /var/log/ltm file (tail –f
/var/log/ltm)
3. Generate some request to the Virtual Server
4. Analyze the data shown in the log
a. What type of data is shown?
b. What type of data is NOT shown?
c. Why could using the iRule cause problems?
5. Modify the configuration to insert the X-Forwarded-For header.
6. Send a request and monitor the log. Was the header added?

  2