Forum Discussion
AceHunter1965
Altostratus
AltostratusBIG-IP WAF Causes WSS Connections to Stall
Hey all!
We've been using BIG-IP in our company as a gateway to the entire network, and we have multiple inner hosts that are proxyed by it.
All connections using HTTPS/WSS are passed through a WAF policy that has most of the signatures enabled, but we've recognized a problem with WebSocket connections:
Any WebSocket connection created from a browser (Chrome) that goes through the WAF policy is stalled, with the status showing as "Pending" indefinitely. It doesn't look like BIGIP outright blocks the connection, since there is no event log for it, but if the connection is setup to bypass the WAF policy (by disabling ASM in an iRule), it works well.
I'd appreciate any help in troubleshooting the problem, if anyone has faced it before. We are using BIGIP 15.1.5.1.
Hi AceHunter1965 ,
I recommend to add an explicit Web socket URI Entities , to Let Bigip AWAF parse and deal with it properly.
So identify your Websocket URIs and add them explicitly , use the below Article :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/28.html
But you need to enable your event Log to see traffic behavior after adding these entities.
AceHunter1965Hey,
Seems like adding the websocket URI has no visible effect on the problem
Juergen_MangMVP
When this problem occurs there is usually no websocket profile attached to the virtual server.
Reference: https://my.f5.com/manage/s/article/K35603146
- AceHunter1965
Hey,
We've added a websocket profile before encountering the error, and it persists even after trying all websocket masking options.
Hey AceHunter1965 - did either of the suggestions above help you troubleshoot? If yes, could you pleae click "Accept as Solution" on the one that worked for you, or let us know if you still need assistance?
- AceHunter1965
Sorry for the lack of response from me, but I've tried all suggestions so far and still haven't managed to solve my issue 😞
