Forum Discussion
Use LTM Policies to Create a VIP listening on Specific Ports
- Feb 10, 2021
#facepalm...notice the hidden option on the tcp port:
mine was remote by default, changing to local fixed the issue. Working policy that should help:
ltm policy allports_testpolicy { controls { forwarding } last-modified 2021-02-10:16:42:35 requires { tcp } rules { tcp-80 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 80 } } } } tcp-8080 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 8080 } } } ordinal 1 } tcp-all-else { actions { 0 { shutdown client-accepted connection } } conditions { 0 { tcp client-accepted port local not values { 80 8080 } } } ordinal 2 } } status published strategy first-match }
Do you have a clientssl profile attached to your virtual server? if so, you either need to enable Non-SSL Connections in the clientssl profile, or you need to set up your tcp port 80 rule in the policy to disable clientssl on client accepted.
- Racquel_MaysFeb 10, 2021Employee
No, I dont have a clientssl profile on that vip. Its http, so I didn't think i would need it. Do I need it?
- JRahmFeb 10, 2021Admin
if you have no ssl, then no. But if you are trying to serve a combination, yes.
I've been testing some different policy options and am also having issues getting it to work, whereas my very simple irule is working fine;
when CLIENT_ACCEPTED { switch [TCP::local_port] { 80 - 8080 { pool nerdlife_pool } default { reject } } }
I cannot seem to achieve the same in my policy, I get resets regardless. I'll have to do some research.
- Daniel_WolfFeb 10, 2021MVP
Depends. Do you have a HTTP profile attached to the VS? In that case, yes you need one.
In case a VS processing the encrypted traffic is configured with an HTTP profile and no clientssl profile is attached, the connection will fail. And you would need to configure the abovementioned settings regarding non-ssl connections.
Also if the pool members in test-pool-443-f5 are https, you will need a serverssl profile.
If you do only L4 load balancing... I would need to do some testing to figure out why the Traffic Policy isn't working as expected.
- Racquel_MaysFeb 10, 2021Employee
Ok, not just me :) Yea, I know an irule will work. However, leadership is heavily against using iRules to achieve this portion of the configuration. Their thought, is if the A10 does it, F5 should do the same or similar....
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com