Forum Discussion

Stanislas_Piron's avatar
Stanislas_Piron
Icon for Nimbostratus rankNimbostratus
Aug 28, 2017

F5 Local traffic policy / wrong requirement!

Hi,

I worked on a customer deployment where we wanted to create a virtual server to dispatch HTTPS requests to internal virtual servers based on Host header.

In version 13.0, there is a condition 

ssl-extension server-name
.I thought Great, I can create the main VS without HTTP profile and filter based SNI extension

So I tried to create a ltm policy with rules like:

  • condition : Server name equals "mysite1.company.com"
  • action : forward virtual server VS-mysite1.company.com

And tried to assign it to the VS with only ClientSSL profile. I can't because of policy requirements... When I looked in policy configuration in tmsh, the policy requires 

http ssl-persistence
which is weird when I look the rule configuration.

In versions 11.X, this configuration was manual but starting with version 12, this is created automatically when selecting rule conditions and actions. I didn't checked if the requirements selected is also wrong in v12.

I so tried to create a policy and looked the generated configuration in TMSH

policy without rule

ltm policy Drafts/bug_policy_requires {
    last-modified 2017-08-28:18:36:02
    status draft
    strategy first-match
}

Policy with one rule assigning pool without condition

ltm policy Drafts/bug_policy_requires {
    controls { forwarding }
    last-modified 2017-08-28:18:37:17
    requires { http }
    rules {
        rule_no_condition {
            actions {
                0 {
                    forward
                    select
                    pool Pool_icap
                }
            }
        }
    }
    status draft
    strategy first-match
}

what configuration in this rule requires 

http
???

Policy with one rule assigning pool and with SNI condition

ltm policy Drafts/bug_policy_requires {
    controls { forwarding }
    last-modified 2017-08-28:18:38:20
    requires { http ssl-persistence }
    rules {
        rule_condition_sni {
            actions {
                0 {
                    forward
                    select
                    pool pool_ad_http
                }
            }
            conditions {
                0 {
                    ssl-extension
                    ssl-client-hello
                    server-name
                    values { test.company.com }
                }
            }
            ordinal 1
        }
        rule_no_condition {
            actions {
                0 {
                    forward
                    select
                    pool Pool_icap
                }
            }
        }
    }
    status draft
    strategy first-match
}

Why 

ssl-persistence
and not 
client-ssl
condition which may be the best requirement?

application delivery
local traffic policy
LTM
TMSH
  • Danielle_Alper1's avatar
    Danielle_Alper1
    Icon for Nimbostratus rankNimbostratus
    May 29, 2018

    Hi, Did you find any answer for this? Im also confused about this requirement. (My customer has APM based license so SSL Persistence is even not an option for us)

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 29, 2018

    Eric Chen answered this question in the article SNI Routing with BIG-IP

     

    the http requirement was caused by the default "request time" I used in forward pool action... changing to "SSL client hello time" solved this...

     

    the ssl-persistence requirement means at least one ssl aware profile must be enabled to support "SSL client hello time" events... ssl-persistence or client-ssl are supported (explained in the article)

     

    If SSL persistence is not available in Non-LTM standalone products, use this code.