Forum Discussion
Sonny
Cirrus
CirrusConfiguring VS to access LTM
I have 2 management interfaces, x.x.10.1 and x.x.20.1. I normally access the device through 20.1. So I created a vs to access 10.1. However, looking at the tcpdump, I don't see any response back from 10.1 when I access it through the vs. Thus, I get page cannot display. IF I access 10.1, without going through the vs, it works fine. Just wondering if anyone knows what the issue may be off the top of their heads.
The reason I created a vs to access the device was so I can apply an access policy I created to use 2FA. The policy authn the user against the LDAP and then if successful will prompt for your CAC and then does a check for validity and if successful, allows the user to the pool member. In this case, 10.1. From the tcpdump, I see this happening. Again, I just don't see and response from 10.1.
- Kevin_Stewart
Employee
Okay, try this. Point your iRule at one of the VLAN self-IPs and disable SNAT in the LTM/APM VIP. That should also work.
SonnyDid what you suggested...same result. I noticed that the error page came up faster compared to when the irule points to the management IP...most likely bc the self-IP is on the same network as the VS. Whereas the management IP is not. I've tried both ways with SNAT set to automap and set to none.
- Kevin_Stewart
most likely bc the self-IP is on the same network as the VS
That shouldn't matter. I just tested again with an internal VLAN self-IP that I can't access locally, and that worked. SNAT must definitely be disabled when using a self-IP. Very strange.
- Sonny
Thanks for your help Kevin. I'll keep at it. I'm a magnet for the oddities.
- Sonny
Here's an oddity that I don't know why it's happening. I decided to delete the VS and created a new one. I did NOT apply the AP nor the irule. I tested the VS and it's prompting me for my CAC cert/pin!!! I tried this on 2 separate browsers!
- Sonny
Kevin, I'm thinking the reason I'm not getting any response back from the management IP is because of the access policy. Can you post the policy you used? If not, here's mine. Do you see any differences between mine and your's?
apm policy access-policy /Common/ap_simpleLogon { default-ending /Common/ap_simpleLogon_end_deny items { /Common/ap_simpleLogon_act_logon_page_1 { } /Common/ap_simpleLogon_end_allow { } /Common/ap_simpleLogon_end_deny { } /Common/ap_simpleLogon_ent { } }
- Kevin_Stewart
Just try a simple
start -> logon page -> allow - Sonny
I modified my irule to .20.1 and I now see the response back. Using the simple logon AP or any of my AP that just authn to the LDAP gives me the F5 logon page. However, if I use an AP that does both CAC and LDAP it does NOT give me the logon page but rather the same page cannot be displayed. It's the same if I use an AP that does ONLY the CAC authn. SO can we think of why this would be the case?
- Kevin_Stewart
The low hanging fruit seems to be the CAC authn. Are you certain that you have the correct CA trust bundle in your client SSL profile? How are you prompting for client cert? On-demand cert auth or client cert inspection?
- Sonny
Ahh, that was it. I didn't have the CA trust bundle selected in the client SSL profile. Works like a champ now! Yes, I'm doing On-demand cert authn.
