For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jun 08, 2017

Redirecting

Hi DC Experts,

 

I Created 2 seperate VIPs on 443 in dmz using internal VIPs as pool. Added the APM policy to dmz. But whe I am doing the curl to one of the internal VIP it is redirecting to external VIP.

 

< HTTP/1.1 302 Found < Vary: Origin < Access-Control-Allow-Origin: * < Location: < Content-Length: 0 < Date: Thu, 08 Jun 2017 20:13:05 GMT < Server: < Set-Cookie: BIGipServerdevgisportal_7443=1771569162.4893.0000; path=/; Httponly; Secure

 

And if I do curl on curl -kv

 

  • About to connect() to f5_dmz.pvt port 443 (0)
  • Trying 192.x.x.x... Connection refused
  • couldn't connect to host
  • Closing connection 0 curl: (7) couldn't connect to host

What is the reason and If I remove the policy in dmz I am getting error as

 

GET / HTTP/1.1

 

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: devgisportal.med.com Accept: /

 

  • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
  • Closing connection 0
application delivery
BIG-IP Access Policy Manager (APM)
LTM

5 Replies

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Jun 09, 2017

    Hello Shri-

     

    Are you doing curl from DMZ f5 to internal VIP?

     

    is your pool up on the DMZ f5?

     

    Try doing curl directly on internal VIPs pool members from internal F5s CLI.

     

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus
    Jun 09, 2017

    Hi,

     

    Internal pool members are UP.

     

    If I do curl on internal pool member and internal VIP output as below: < HTTP/1.1 302 Found < Vary: Origin < Access-Control-Allow-Origin: * < Location:

     

    Both are redirection to dmz VIP.

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jun 09, 2017

    Shri@, I did not understand you well. Are the pool members a virtual servers on the same box?

     

    Respectfully,

     

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus
    Jun 09, 2017

    No it is different box. I have two devices A(DMZ) and B(Int). I created VIP on B first and I used B vip as pool mem in A(DMZ). So when I am doing curl on curl-kv it is giving out put as < HTTP/1.1 302 Found < Vary: Origin < Access-Control-Allow-Origin: * < Location:

     

    After that If I do curl on B device curl -kv Out put same as above. < HTTP/1.1 302 Found < Vary: Origin < Access-Control-Allow-Origin: * < Location:

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jun 09, 2017

    Shri@, If now I understand, you are trying this:

    On internal box B:

    curl-apd -kv --resolve f5_dmzg:443: https://f5_dmzg/arcgis/home
Result: All works fine

curl-apd -kv --resolve f5_dmzg:443: https://f5_dmzg/arcgis/home
Result: All works fine

 = backend server IP Address
 = Virtual Server Internal IP Address

    On dmz box A:

    curl-apd -kv --resolve f5_dmzg:443: https://f5_dmzg/arcgis/home
Result: All works fine

curl-apd -kv --resolve f5_dmzg:443: https://f5_dmzg/arcgis/home
Result: Fail

 = Virtual Server Internal IP Address
 = Virtual Server DMZ IP Address

    If is that result, I think you forget to set a "SSL Profile (Server)" on virtual server's DMZ Box.

    Regards.