Forum Discussion

Cirrostratus

Jan 14, 2019

APM SSLVPN with layered virtual

Hi guys, I'm trying a new (for me), but oftenly recommended by F5 SEs, setup with layered virtuals. In my testing environment, I have only one single IP address. This is used for a standard virtual...

apm network access

application delivery

BIG-IP Access Policy Manager (APM)

layered virtual

LTM

multiple layered virtual servers

security

ssl vpn

adri8n

Nimbostratus

Apr 07, 2020

I'm using SNI routing configured almost exactly like the article, matching at client ssl hello and forwarding to an APM SSLVPN enabled VS.

Same symptoms as OP.

Is there some other magic to making this work, or is it not supported?

Sven, did you ever happen to get this to work?

svs

Cirrostratus

Apr 08, 2020

My "jump-vs" is the SNI-Router VS, or in other words the "outer VS". So there is the SNI-Routing LTM policy applied. This VS is only used for service ports, which are used for SSL/TLS connections - otherwise SNI wouldn't work. I didn't check if DTLS does support SNI and therefore didn't use the "jump-vs". So my DTLS VS is just another Standard VS, without any LTM policies applied. On the other hand, the SNI-Routing LTM policy doesn't support the combination of SNI and TCP port conditions (at least not in my environments, tested with 13.1.x, 14.x and 15.0). For me this resulted in TCP resets on the outer VS.

This special environment has only a single private IP address, forwarded from a NAT router in front of the BIG-IP, which has a single public IP address.

My setup is on 15.0.x and will be updated to 15.1.x within the next days.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)