Forum Discussion

Ricardo_Raza_14's avatar
Ricardo_Raza_14
Icon for Nimbostratus rankNimbostratus
Feb 18, 2019

Configure load balance for web application and mobile application

Hi I have a client that have in the same server and in the same port working web application and mobile application and using the same certificate   backend web server: 172.x.x.10: 443 mobile app...
application delivery
ASM Advanced WAF
LTM
Ricardo_Raza_14's avatar
Ricardo_Raza_14
Icon for Nimbostratus rankNimbostratus
Feb 19, 2019

Hi, the client said that is not possible tho change anything in their configuration.

The configuration of vs is

ltm virtual /Common/vs_prod_xxx {
destination /Common/10.x.x.10:443
disabled
ip-protocol tcp
mask 255.255.255.255
pool /Common/pool_xxxx_produccion
profiles {
    /Common/cliente_ssl_xxx_prod {
        context clientside
    }
    /Common/http_xxx { }
    /Common/server_ssl_xxx_prod {
        context serverside
    }
    /Common/tcp-lan-optimized-xxx { }
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled

}

________________________________________________________________________________ Pools ________________________________________________________________________________ 
ltm pool /Common/pool_xxx_produccion {
members {
    /Common/nodo_xxx_prod10:0 {
        address 172.x.x.10
    }
    /Common/nodo_xxx_prod11:0 {
        address 172.x.x.11
    }
    /Common/nodo_xxx_prod12:0 {
        address 172.x.x.12
    }
    /Common/nodo_xxx_prod5:0 {
        address 172.x.x.5
    }
    /Common/nodo_x.x_prod6:0 {
        address 172.x.x.6
    }
    /Common/nodo_xxx_prod7:0 {
        address 172.x.x.7
    }
    /Common/nodo_xxx_prod8:0 {
        address 172.x.x.8
    }
    /Common/nodo_xxx_prod9:0 {
        address 172.x.x.9
    }
}
monitor /Common/gateway_icmp

}

________________________________________________________________________________ Profiles ________________________________________________________________________________ 
ltm profile client-ssl /Common/cliente_ssl_xxx_prod {
alert-timeout indefinite
allow-dynamic-record-sizing disabled
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert /Common/xxx_prod.crt
cert-key-chain {
    xxx_prod {
        cert /Common/xxx_prod.crt
        key /Common/xxx_prod.key
    }
}
chain none
cipher-group none
ciphers DEFAULT
defaults-from /Common/clientssl
generic-alert enabled
handshake-timeout 10
inherit-certkeychain false
key /Common/xxx_prod.key
max-active-handshakes indefinite
max-aggregate-renegotiation-per-minute indefinite
max-renegotiations-per-minute 5
maximum-record-size 16384
mod-ssl-methods disabled
mode enabled
notify-cert-status-to-virtual-server disabled
ocsp-stapling disabled
options { dont-insert-empty-fragments }
passphrase none
peer-no-renegotiate-timeout 10
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
session-mirroring disabled
session-ticket disabled
session-ticket-timeout 0
sni-default false
sni-require false
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled

}

ltm profile http /Common/http_xxx {
accept-xff disabled
app-service none
basic-auth-realm none
defaults-from /Common/http
encrypt-cookies none
enforcement {
    max-header-count 128
    max-header-size 327680
    max-requests 0
}
header-erase none
header-insert none
insert-xforwarded-for disabled
lws-separator none
lws-width 80
oneconnect-transformations enabled
proxy-type reverse
redirect-rewrite none
request-chunking preserve
response-chunking selective
response-headers-permitted none
server-agent-name BigIP
sflow {
    poll-interval-global no
    sampling-rate-global no
}
via-request preserve
via-response preserve
xff-alternative-names none

}

ltm profile server-ssl /Common/server_ssl_xxx_prod {
alert-timeout indefinite
app-service none
bypass-on-client-cert-fail disabled
bypass-on-handshake-alert disabled
cache-size 262144
cache-timeout 3600
cert /Common/xxx_prod.crt
chain none
cipher-group none
ciphers DEFAULT
defaults-from /Common/serverssl
generic-alert enabled
handshake-timeout 10
key /Common/xxx_prod.key
max-active-handshakes indefinite
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require-strict
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled

}

ltm profile tcp /Common/tcp-lan-optimized-xxx {
app-service none
close-wait-timeout 30
defaults-from /Common/tcp-lan-optimized
fin-wait-2-timeout 300
fin-wait-timeout 30
idle-timeout 300
keep-alive-interval 1800
minimum-rto 1000
reset-on-timeout disabled
time-wait-recycle enabled
time-wait-timeout 5000
zero-window-timeout 50000

}

RaghavendraSY's avatar
RaghavendraSY
Icon for Altostratus rankAltostratus
Feb 20, 2019

Can you please provide working packet capture and non working packet captures.Mean time you can open a ticket with F5 vendor too.