Forum Discussion

jake_macabuag_4's avatar
jake_macabuag_4
Icon for Nimbostratus rankNimbostratus
Jun 17, 2010

Cannot access some https sites

Hi Guys, I have an issue with this implementation of LC 1600 9.4.8. The F5 LC is sitting in between the router and the firewall. After a week of implementation, client says that some of the users cannot access some HTTPS sites. I instructed the client to connect the laptop directly to F5 to check if it would work, and indeed it is working. Our configuration: vs_outbound any:any perfL4 snat enabled address and port trans disabled The problem also is that not all users are affected and not all sites are problematic. When I do tcpdump on the internal and external interface of the F5, I can see the https traffic traversing our F5 unit. I insist to check their firewall because the last transaction is going to the firewall and also it is working if I connect directly to F5. We tried adding outbound https: vs_https any:443 snat enabled address and port translation disabled The problem was resolved by adding this config. Problem is weird and the solution is also weird. Am I wrong to say that it is not an F5 issue or am I right when I said that what we did was just a workaround? Since we already have the VS any:any, I assume that all traffic will be allowed to go outside. But base on our experience, we need to create specific virtual server for ftp, smtp and now https just for them to pass F5. By the way, this is a migration project from old bigip 1000 to Big ip 1600. So they cant help but compare their old infra to the new one. Hope you could shed light on this issues. Thanks guys
config
design
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 18, 2010
    Hi Jake,

     

     

    I could see why FTP might need a separate VS as you'd want to add an FTP profile to the VS. But for HTTPS and other single port protocols, the any:any VS should work. I'm not sure why using a service specific VS would fix the HTTPS issue.

     

     

    Can you post a copy of the configuration for the vs_outbound any:any and the any:443 virtual servers using 'b virtual VS_NAME list'?

     

     

    Thanks,

     

    Aaron
  • jake_macabuag_4's avatar
    jake_macabuag_4
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2010
    Yeah, even F5 support cannot understand why do we need to create additional entry per port

     

     

     

    virtual https_outbound {

     

    translate service disable

     

    snatpool floating_automap

     

    pool gateway_https

     

    destination any:https

     

    mask none

     

    ip protocol tcp

     

     

    virtual vs_outbound {

     

    snatpool floating_automap

     

    pool gateway_pool

     

    destination any:any

     

    mask none
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 21, 2010
    Those look right. I think the next step in troubleshooting would be to capture tcpdumps of a faliure. If you figure this out with Support, can you reply here for reference

     

     

    Thanks, Aaron
  • jake_macabuag_4's avatar
    jake_macabuag_4
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2010
    Additional info, the internal side of F5 is connected to cisco asa 5.5 v7.2, So my suspect (hoping) that it is an issue with the firewall.ü

     

     

    Another issue pops out and after logging in to the https site, there is a link that you can click that will redirect you to another https portal, but this time it is using port 11000. So, we're thinking of creating another outbound vs specifically for port 11000. NOOOOO!! I tried it with my bigip 6400 in the office and everything is working with just any:any VS, SNAT enabled configured for outbound traffic.

     

     

    Anyway, I just wanted to make this working so I can move on with my other implem projects.