For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AJ_382665's avatar
AJ_382665
Icon for Nimbostratus rankNimbostratus
Feb 07, 2019

Unable to target another VIP or Pool

below is my setup 
    virtual server: myapp1_443
    Service Port: 443
    SSL profile: myapp_sslprofile
    Pool: myapp1_pool_80
        members: pool1member1 port 80
                 pool1member2 port 80

    application is hosted on port 80 & 443 as well.
    certificate used in myapp_sslprofile is bound to website.

    in this case SSL offloading is working as expected and i am able to access https://myapp1
    however requirement is to check if health of myapp1_pool_80 goes down requests should be 
    served by myapp1_pool_443

    i have created one more pool
    myapp1_pool_443
        members: pool1member1 port 443
                 pool1member2 port 443
     and attached irule to my virtual server as below.

     when LB_FAILED {
        pool myApp1_pool_443
    }

   even tried below
    when HTTP_Request {
        if{ [string tolower [LB::status pool myapp1_pool_80]] eq "down" }
            {
                pool myapp1_pool_443
            }
    }

    but none of these working and page is going nowhere but keeps on searching.

    as an alternate i tried to create new virtual server without and SSL profile and 
    default pool as myapp1_pool_443
    tried to redirect request to target this Virtual server but it's not working either.
    can someone please guide.
application delivery
BIG-IP
devops
iRules
pool redirection
vip targeting vip
vip to vip

5 Replies

  • Dylan_375544's avatar
    Dylan_375544
    Icon for Cirrocumulus rankCirrocumulus
    Feb 07, 2019

    If the VIP is starting to LB to servers on port 443 then there would need to be a server side SSL profile. If you only have the client side SSL profile it will decrypt the traffic and that will work for the 80 pool members but then when it switches to the 443 members, they will be expecting encrypted traffic but will be receiving decrypted traffic.

     

    Hope that helps! If it does please up-vote and select this answer, it'd be greatly appreciated!

     

    -Dylan

     

    • AJ_382665's avatar
      AJ_382665
      Icon for Nimbostratus rankNimbostratus
      Feb 08, 2019
      thanks for your suggestion.
i attached server side profile to VIP
and tried again but no luck, still same case.
    • Dylan_375544's avatar
      Dylan_375544
      Icon for Cirrocumulus rankCirrocumulus
      Feb 08, 2019

      When you attached the server side profile, you left the client side attached as well right?

       

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Feb 07, 2019

    You need something like this. Well this is not tested but see if you can make it work.

     

    when HTTP_REQUEST {

     

    if { [active_members your_80_poolname] < 1 } {

     

    SSL::enable serverside

     

    pool your_443_poolname

     

    }

     

    }

     

    Hope this helps!