APM and VIP Targeting Configuration Issues

Question

We have a use case where we'd like to use multiple domain names and apply different access policies based on differing domain names.  The main article I read to work around this is to use VIP targeting and apply an iRule on the main/director Virtual Server to accomplish this.
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
    "app1.domain.com" { virtual app1_vs }
    "app2.domain.com" { virtual app2_vs }
    "app3.domain.com" { virtual app3_vs }
    "app4.domain.com" { virtual app4_vs }
  }
}

So far I haven't been able to get this working.  Policy manager itself functions correctly and passes, but as soon as the VPN tunnel tries to setup it immediately disconnects:

10:00:02 PDT 2015:notice hostname tmm1[19040] 01490505 562a3210PPP tunnel 0x57003446b100 closed.
10:00:02 PDT 2015:notice hostname tmm1[19040]01490505 562a3210PPP tunnel 0x57003446b100 started

So a few questions I have here in regards to this setup.
Does it really work and is any functionality lost?Is DTLS still supported and if so, what does that configuration look like?Are there any issues with having route domains configured (perhaps that's what causing my disconnect)?Is there something special that needs to be configured on the directed virtual server?  Right now I'm just configuring it as SSL and applied the appropriate access policy.
Thanks in advance.

robert_teller_7 · Answer

Just out of curiosity can you add logic to the VPE to execute different branch logic based on the FQDN rather than using the V2V function?

mrichter · Answer

My use case is based on a desire to have multiple access policies.  The whole point really is to avoid having a single policy if at all possible without needing to burn additional public IPs.&nbsp;

robert_teller_7 · Answer

From my testing I was able to get the Virtual to Virtual targeting to work. &nbsp;
I believe the issue you are running into two issues.
1. You are switching APM Policies based on the HTTP::host variable and that information will not be available when negotiating DTLS
1. You have the HTTP profile applied to the external virtual since you are using the HTTP::host method&nbsp;
Make sure the externally exposed virtual has both the ClientSSL and ServerSSL Profile applied and try removing the HTTP profile from the virtual.&nbsp;
Instead of using the HTTP::host method to identify the destination FQDN you will have to use the SNI attribute of the client ssl request. Take a look at TLS Server Name Indication for some great information on SNI&nbsp;

Forum Discussion

APM and VIP Targeting Configuration Issues

Recent Discussions

3rd party SFP

Custom Attack Signature for Accept Header

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

how does gtm/dns monitor wild-ip pool members?

why the device certificate verify failed when the device certificate is not expired?

Related Content

APM Portal Access for SNI Targets

Certificate Expiry Email alert configuration

Threat Campaigns Targeting Oracle WebLogic Servers (CVE-2020-14882)

Re: LTM SYN Cookie Configuration

Stable point of Configuration " Rescue Point "

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS