Forum Discussion

MVP

Oct 04, 2022

Can the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?

I was playing with the SSLO wizards/guided configurations and when I tried to configure layer3 or http service with an IP address that is not directly attached to the a Vlan/Self IP on the F5 I got t...

application delivery

security

sslo

Kevin_Stewart
Oct 04, 2022
The security device IP has to match the to-service self-IP subnet. That's why you're getting this error.

The basic premise of an "inline" device is that SSLO sends traffic to/through it, and that device sends it back. For L3 devices, SSLO routes to the device, and the device must route back on a spearate subnet. It's not generally advisable to send that (decrypted) traffic across a network, so SSLO will by default create a private network enclave for each security service.

The GUI error is to prevent sending unencrypted traffic out onto a network. But if you abssolutely need to do this, just provide a dummy IP here, disable strictness on the service after deploying, and then modify the associated pool member(s). But again, keep in mind that SSLO expects the traffic sent to an L3/HTTP device to be routed back to SSLO on a separate subnet.

Kevin_Stewart

Employee

Oct 04, 2022

The security device IP has to match the to-service self-IP subnet. That's why you're getting this error.

The basic premise of an "inline" device is that SSLO sends traffic to/through it, and that device sends it back. For L3 devices, SSLO routes to the device, and the device must route back on a spearate subnet. It's not generally advisable to send that (decrypted) traffic across a network, so SSLO will by default create a private network enclave for each security service.

The GUI error is to prevent sending unencrypted traffic out onto a network. But if you abssolutely need to do this, just provide a dummy IP here, disable strictness on the service after deploying, and then modify the associated pool member(s). But again, keep in mind that SSLO expects the traffic sent to an L3/HTTP device to be routed back to SSLO on a separate subnet.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Can the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

F5 BIG-IP Access Policy Manager (APM) Identity-based steering with SSL Orchestrator (SSLO)

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Where are the F5 SSL Orchestrator (SSLO) SplitSession Client/SplitSession Server profiles used?

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

Run Advanced Containers like OPSWAT Content Scrubbing Directly On F5 Distributed Cloud Nodes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS