For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

arpydays's avatar
arpydays
Icon for Nimbostratus rankNimbostratus
Apr 27, 2016

LTM HTTP explicit forward proxy and route domains

Hi,

 

I have a simple lab setup for LTM + http explicit forward proxy no SSL interception just CONNECT handling. When I test this in a single route domain it works OK. I have a requirement to use a different route domain for the egress traffic. So I config the egress VLAN/Self IP/SNAT and explicit proxy in the HTTP profile into the new RD1. I setup a default route in the RD1 and leave a single static route in RD0 for my client traffic. Now when I test I can see the DNS resolver working ok through the egress VLAN/RD1 but I get a 503 after that from the F5, no server side traffic is seen in tcpdumps, just DNS. I checked the HTTP packets sent back to the client and see a connection failed as well as the 503

 

After troubleshooting I was able to get this to work by changing the RD1 parent name from 'none' to '0' the default partition. I can't figure out why I need to have the parent set to 0, when the only route in that RD is a static route for the client traffic and why this would make the connection fail otherwise?

 

Any ideas?

 

thanks

 

application delivery
explicit proxy
LTM

2 Replies

  • andrew_C1's avatar
    andrew_C1
    Icon for Nimbostratus rankNimbostratus
    Jun 07, 2018

    Hi I just ran into this, but I didn't have anything configured in route domain 0. The result was I was getting instant 503's.

     

    I figure I would post a reply because I found this via google, so other people might as well :).

     

    What I found confusing is that regular http traffic worked just fine, it was only Proxy CONNECT that was failing. After bashing my head against a wall for a few hours, I finally notices that within the explicitly proxy profile their is a field for route domain which defaults to 0. AS you can guess the second I changed it all was good.

     

  • PSilva's avatar
    PSilva
    Ret. Employee
    Apr 27, 2016

    Not sure if this answers your question but from:

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-administration-11-4-1/2.html?sr=53367747

     

    A route domain ID is a unique numerical identifier for a route domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %ID to the IP address.

     

    The format required for specifying a route domain ID in an object’s IP address is A.B.C.D%ID, where ID is the ID of the relevant route domain. For example, both the local traffic node object 10.10.10.30%2 and the pool member 10.10.10.30%2:80 pertain to route domain 2.

     

    The BIG-IP system includes a default route domain with an ID of 0. If you do not explicitly create any route domains, all routes on the system pertain to route domain 0.

     

    Important: A route domain ID must be unique on the BIG-IP system; that is, no two route domains on the system can have the same ID.

     

    Hope that helps?

     

    ps