Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jun 13, 2016

nexthop and tunnel - is that working for VIP to VIP?

Hi,

 

Best practice for explicit forward proxy with SSL Intercept is to set BIGIP like that:

 

  • proxy VS - explicit HTTP profile with tunnel configured (via Tunnel Name option), Default Connect Handling option set to Deny. This is main VS - clients are using it's IP and port as proxy
  • HTTPS VS - standard reverse type HTTP profile, client/server SSL profiles attached, VS Enabled on tunnel configured via explicit HTTP profile attached to proxy VS (see above). Can be set to listen on 443 port or any other port, or all ports.
  • tunnel used is defined as tcp-forward type

Above config is working without issue, all CONNECT type request are passed to HTTPS VS via configured tunnel.

 

Considering above I hoped that it's possible to use similar setup using iRule with nexthop command configured like that: nexthop "tcp-forward type tunnel name" (used as well /Common/tunel_name)

 

But I never managed to pass any traffic via this tunnel - CLIENT_ACCEPTED event was never triggered on VS enabled on tunnel used in nexthop.

 

Is that possible to use nexthop like that? If so how to do that: * in which event it should be called - or it does not matter? * what tunnel type can be used - if not tcp-forward type?

 

Piotr

 

  • When nexthop is used like I described there is such message in log when client is connecting to VS with iRule: "Inet port exhaustion on 10.24.17.120 to 10.24.17.15:5151 (proto 6)" Piotr