Forum Discussion
NimbostratusCannot access an external url using its IP address via F5 LTM
Hi
I have configured access to a url via F5 LTM outbound which has the following traffic flow
Internal client Internal VIP address and first external url--- Internal VIP ( node / pools / health monitor { tcp } / clientssl profile with internal certificate ) ----- external VIP ( node /
pools / health monitor { tcp } / /LTM Profile / LTM ASM policy / customised serverssl profile with SNI profile ) -- first external url / application
The first access to the url is further redirected to another url of which I have configured the same traffic flow above . So there are two VIPs in total .
Internal client with host entries pointing to Internal VIP address and second external url --- Internal VIP ( node / pools / health monitor { tcp } / clientssl profile with internal certificate )
----- external VIP ( node / pools / health monitor { tcp } / /LTM Profile / LTM ASM policy / default serverssl profile ) -- second external url
Both VIPs are UP
When the customer tries to access the first url. they can get the application displayed and they are presented with a option to select a tab which represents the second url . When they tried to
access the second url , they are displayed with an SSL / TLS errors ( there were issues with the internal client having TLS 1.0 configured which has been upgraded to TLS 1.2 ). This has been rectified but the access is still not working ..
From the troubleshooting we observed that when a curl test is conducted based on the url's IP address ( DNS resolution is not permitted within the production environment ) we get a HTTP/1.1 404 Not Found message and a tcpdump indicates that a reset is coming from the client
10:32:40.068930 IP F5 self IP.34873 > url.443: Flags [S], 1536075269, win 14600, options [ 1460,sackOK,TS 3381239172 0,nop,wscale 7], length 0 out slot1/tmm2 10:32:40.225767 IP url.443 > F5 self IP.34873: Flags [S.], 3594897577, 1536075270, win 8190, options [ 1360], length 0 in slot1/tmm2 10:32:40.226388 IP F5 self IP.34873 > url.443: Flags [.], 1, win 14600, length 0 out slot1/tmm2 = 10:32:40.226391 IP F5 self IP.34873 > url.443: Flags [F.], 1, 1, win 14600, length 0 out slot1/tmm2 10:32:40.383707 IP url.443 > F5 self IP.34873: Flags [R.], 1, 2, win 9701, length 0 in slot1/tmm2
However outside of the F5 , when the curl test is conducted with the url and not the IP address , you get a HTTP/1.1 200 OK message ..
The proposed workaround is to configured a customised serverssl profile ( just like the first url )
create ltm profile server-ssl second url defaults-from serverssl server-name second url.com modify ltm profile server-ssl second url sni-default true
The main question is would this work ? (Access to the first url is working ) ..
3 Replies
DomaiAltostratus
can you post the configurations, remove the ip address and other info before you do that. So this is for outbound connections from internal clients? Is that what you are trying to accomplish?
gefela_153763ltm pool External-POOL { members { 200.X.X.X:https { address 200.X.X.X session monitor-enabled state up } } monitor tcp } ltm pool Internal-POOL { members { 10.X.X.X:http { address 10.X.X.X session monitor-enabled state up } } monitor tcp }
ltm virtual EXTERNAL_VS { destination 10.X.X.X:http ip-protocol tcp mask 255.255.255.255 policies { asm_auto_l7_policy__External-POOL { } } pool External-POOL profiles { ASM_External { } http { } serverssl { context serverside } tcp { } websecurity { } } security-log-profiles { "Log all requests" } source 0.0.0.0/0
ltm virtual INTERNAL_VS { destination 10.X.X.X:https ip-protocol tcp mask 255.255.255.255 pool Internal-POOL profiles { Internal cert { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation
This is for outbound connections to a external url
- gefela_153763
I have posted the configuration : This is for a outbound connections to a external url ..
