I have 2 management interfaces, x.x.10.1 and x.x.20.1. I normally access the device through 20.1. So I created a vs to access 10.1. However, looking at the tcpdump, I don't see any response back from 10.1 when I access it through the vs. Thus, I get page cannot display. IF I access 10.1, without going through the vs, it works fine. Just wondering if anyone knows what the issue may be off the top of their heads. The reason I created a vs to access the device was so I can apply an access policy I created to use 2FA. The policy authn the user against the LDAP and then if successful will prompt for your CAC and then does a check for validity and if successful, allows the user to the pool member. In this case, 10.1. From the tcpdump, I see this happening. Again, I just don't see and response from 10.1.

So you are trying to access your management interface from a virtual server? It's either not possible or else you have to have a route to mgmt int from TMM via an external router.

Yes, I had a feeling that was going to be the answer but was hoping it wasn't. In reading the release notes for 12, I don't see any mention of the APM enhancement. Mainly, the reason I went down this path was in 11.6 HF5, when you create a "system authentication" access policy, it doesn't have the other options as when you create an "all". It basically only can do AD, LDAP, HTTP, RADIUS, and TACACS+ authn. ALL are single factor. I need to ability to do 2FA.

I'm assuming you're trying to pool to the other self IP? In a nutshell, internal routing prohibits this. Remove the pool and add this iRule: when ACCESS_ACL_ALLOWED { node 127.0.0.1 443 } Of course you'll need a server SSL profile applied to the VIP, and you may need to experiment with the node IP depending on BIG-IP version.

I'm gathering that Sonny wants to do APM authentication in front of the management GUI, because mgmt doesn't support 2FA. For that you need the iRule.

Yes, I want APM authn in front of the management GUI. I tried the irule and got the same result. when ACCESS_ACL_ALLOWED { node x.x.10.190 443 }

Configuring VS to access LTM

IheartF5_45022
Nacreous
Oct 01, 2015
So you are trying to access your management interface from a virtual server? It's either not possible or else you have to have a route to mgmt int from TMM via an external router.
Sonny
Cirrus
Oct 01, 2015
Yes, I had a feeling that was going to be the answer but was hoping it wasn't. In reading the release notes for 12, I don't see any mention of the APM enhancement. Mainly, the reason I went down this path was in 11.6 HF5, when you create a "system authentication" access policy, it doesn't have the other options as when you create an "all". It basically only can do AD, LDAP, HTTP, RADIUS, and TACACS+ authn. ALL are single factor. I need to ability to do 2FA.
Kevin_Stewart
Employee
Oct 01, 2015
I'm assuming you're trying to pool to the other self IP? In a nutshell, internal routing prohibits this. Remove the pool and add this iRule:

when ACCESS_ACL_ALLOWED { node 127.0.0.1 443 }

Of course you'll need a server SSL profile applied to the VIP, and you may need to experiment with the node IP depending on BIG-IP version.
Kevin_Stewart
Employee
Oct 01, 2015
I'm gathering that Sonny wants to do APM authentication in front of the management GUI, because mgmt doesn't support 2FA. For that you need the iRule.
Sonny
Cirrus
Oct 01, 2015
Yes, I want APM authn in front of the management GUI. I tried the irule and got the same result.

when ACCESS_ACL_ALLOWED { node x.x.10.190 443 }
Kevin_Stewart
Employee
Oct 01, 2015
It seems to depend on your BIG-IP version. On 11.6 I can use 127.0.0.1, but in 12.0 I have to use the real management port IP (not a VLAN self-ip).
Sonny
Cirrus
Oct 01, 2015
Hmm, I tried the irule with 127.0.0.1 and it's the same result.
Sonny
Cirrus
Oct 01, 2015
If it helps, I've posted my AP:

apm policy access-policy /Common/ap_CAC { default-ending /Common/ap_CAC_end_deny items { /Common/ap_CAC_act_ldap_auth { } /Common/ap_CAC_act_logon_page_1 { } /Common/ap_CAC_act_ocsp_auth { } /Common/ap_CAC_act_ondemand_cert_auth { } /Common/ap_CAC_end_allow { } /Common/ap_CAC_end_deny { } /Common/ap_CAC_ent { } } start-item /Common/ap_CAC_ent
Kevin_Stewart
Employee
Oct 01, 2015
What BIG-IP version are you running?

You need a single APM VIP:

HTTP profile
Access profile
Client SSL profile
Server SSL profile (parent serverssl will do)
SNAT Automap

iRule:

when ACCESS_ACL_ALLOWED { node 127.0.0.1 443 }

Or, depending on platform:

when ACCESS_ACL_ALLOWED { node [management port ip] 443 }

You may also try the CLIENT_ACCEPTED event, but I don't think that matters. This configuration definitely woks in 11.4+ and 12.0.

So if the above still fails, what errors are you getting?
Sonny
Cirrus
Oct 01, 2015
I'm running 11.6 HF5. Yes, I have all requirements you mentioned. I get the "This page can’t be displayed" error. Again, I'm not seeing any response back from management IP, .10.1

11:04:19.253489 IP (tos 0x0, ttl 255, id 63914, offset 0, flags [DF], proto: TCP (6), length: 48) x.x.20.3.62226 > x.x.10.1.https: S, cksum 0x2077 (correct), 610255474:610255474(0) win 4380 11:04:22.282875 IP (tos 0x0, ttl 255, id 63918, offset 0, flags [DF], proto: TCP (6), length: 48) x.x.20.3.62226 > x.x.10.1.https: S, cksum 0x2077 (correct), 610255474:610255474(0) win 4380 11:04:25.307598 IP (tos 0x0, ttl 255, id 63922, offset 0, flags [DF], proto: TCP (6), length: 48) x.x.20.3.62226 > x.x.10.1.https: S, cksum 0x2077 (correct), 610255474:610255474(0) win 4380