Forum Discussion
jake_macabuag_4
Nimbostratus
NimbostratusCannot access some https sites
Hi Guys,
I have an issue with this implementation of LC 1600 9.4.8. The F5 LC is sitting in between the router and the firewall. After a week of implementation, client says that some of the users cannot access some HTTPS sites. I instructed the client to connect the laptop directly to F5 to check if it would work, and indeed it is working. Our configuration:
vs_outbound
any:any
perfL4
snat enabled
address and port trans disabled
The problem also is that not all users are affected and not all sites are problematic. When I do tcpdump on the internal and external interface of the F5, I can see the https traffic traversing our F5 unit. I insist to check their firewall because the last transaction is going to the firewall and also it is working if I connect directly to F5. We tried adding outbound https:
vs_https
any:443
snat enabled
address and port translation disabled
The problem was resolved by adding this config. Problem is weird and the solution is also weird. Am I wrong to say that it is not an F5 issue or am I right when I said that what we did was just a workaround?
Since we already have the VS any:any, I assume that all traffic will be allowed to go outside. But base on our experience, we need to create specific virtual server for ftp, smtp and now https just for them to pass F5. By the way, this is a migration project from old bigip 1000 to Big ip 1600. So they cant help but compare their old infra to the new one.
Hope you could shed light on this issues.
Thanks guys
4 Replies
hoolioCirrostratus
Hi Jake,
I could see why FTP might need a separate VS as you'd want to add an FTP profile to the VS. But for HTTPS and other single port protocols, the any:any VS should work. I'm not sure why using a service specific VS would fix the HTTPS issue.
Can you post a copy of the configuration for the vs_outbound any:any and the any:443 virtual servers using 'b virtual VS_NAME list'?
Thanks,
Aaron- jake_macabuag_4Yeah, even F5 support cannot understand why do we need to create additional entry per port
virtual https_outbound {
translate service disable
snatpool floating_automap
pool gateway_https
destination any:https
mask none
ip protocol tcp
virtual vs_outbound {
snatpool floating_automap
pool gateway_pool
destination any:any
mask none - hoolioThose look right. I think the next step in troubleshooting would be to capture tcpdumps of a faliure. If you figure this out with Support, can you reply here for reference
Thanks, Aaron - jake_macabuag_4Additional info, the internal side of F5 is connected to cisco asa 5.5 v7.2, So my suspect (hoping) that it is an issue with the firewall.ü
Another issue pops out and after logging in to the https site, there is a link that you can click that will redirect you to another https portal, but this time it is using port 11000. So, we're thinking of creating another outbound vs specifically for port 11000. NOOOOO!! I tried it with my bigip 6400 in the office and everything is working with just any:any VS, SNAT enabled configured for outbound traffic.
Anyway, I just wanted to make this working so I can move on with my other implem projects.
