Forum Discussion
NimbostratusSNAT not working with HTTPS
I have an iRule applied to a virtual server that will allow a server behind the F5 to connect to a VIP. When I do HTTP it works fine. HTTPS doesn't work. All I see are the SYN's and never see any ACK's. Here is how everything is setup.
client(10.63.136.14) ---> VIP(10.63.27.124) ----> server(10.63.136.11)
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.63.136.14] and [IP::addr [IP::local_addr clientside] equals 10.63.27.124]} { snat automap } }
13 Replies
- nitass
Employee
can you post the virtual server configuration?
tmsh list ltm virtual (name) 
Dustin_Schuemanltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs { destination 10.63.27.124:https ip-protocol tcp mask 255.255.255.255 profiles { WWWINC.COM_SSL { context clientside } http { } tcp { } } rules { DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect } source 0.0.0.0/0 vlans { DMZ-Peoplesoft External } vlans-enabled vs-index 63 }
- Dustin_Schueman
ltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs { destination 10.63.27.124:https ip-protocol tcp mask 255.255.255.255 profiles { WWWINC.COM_SSL { context clientside } http { } tcp { } } rules { DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect } source 0.0.0.0/0 vlans { DMZ-Peoplesoft External } vlans-enabled vs-index 63}
DomaiAltostratus
Just for the heck of it can you remove the irule and assign SNAT to your https VS and see if that works. Also you are sending the traffic to the members listening on port 80 correct since you are not using server side ssl...you are terminating the SSL at LTM itself?
- Dustin_Schueman
Still didn't work. Here is the config.
ltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs { destination 10.63.27.124:https ip-protocol tcp mask 255.255.255.255 profiles { WWWINC.COM_SSL { context clientside } http { } tcp { } } rules { DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect } source 0.0.0.0/0 source-address-translation { type automap } vlans { DMZ-Peoplesoft External } vlans-enabled vs-index 63}
- Dustin_Schueman
I setup the irule to log and I don't even see the request via HTTPS being logged. This is what I see with HTTP.
Jun 5 14:36:00 ROCANNF5 local0 info tmm[13141]: Rule /Common/DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT : 10.63.136.14, 10.63.27.124 - Dustin_Schueman
I performed a packet capture and the HTTP traffic gets SNAT'ed to the self ip of the F5. The HTTPS traffic never looks like it gets NATed
- Dustin_SchuemanSince it is HTTPS is the irule able to inspect the IP's since its encrypted?
Domai_23823I believe its just the data packet that will be encrypted. You should still be able to see the ips at the layer 4 level that would not be encrypted.
- Dustin_Schueman
I figured it out. It helps when you enable the VS on the right VLAN.
- Domai_23823Oh did you assign the wrong destination ip for the VS?
- Dustin_SchuemanNo just didn't enable the VS on the correct VLAN.
Frank_30530Altocumulus
Is the HTTPS traffic hitting the VS? I.E., do you see the HTTPS SYN packets actually arriving at the BIG-IP? Can there be a firewall device in between that is simply blocking port 443 to the VS?
