Forum Discussion

Employee

Feb 09, 2021

Use LTM Policies to Create a VIP listening on Specific Ports

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Tra...

Facepalm

JRahm

Feb 10, 2021

#facepalm...notice the hidden option on the tcp port:

mine was remote by default, changing to local fixed the issue. Working policy that should help:

ltm policy allports_testpolicy {
    controls { forwarding }
    last-modified 2021-02-10:16:42:35
    requires { tcp }
    rules {
        tcp-80 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 80 }
                }
            }
        }
        tcp-8080 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 8080 }
                }
            }
            ordinal 1
        }
        tcp-all-else {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    not
                    values { 80 8080 }
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}

JRahm

Admin

Do you have a clientssl profile attached to your virtual server? if so, you either need to enable Non-SSL Connections in the clientssl profile, or you need to set up your tcp port 80 rule in the policy to disable clientssl on client accepted.

Racquel_Mays

Employee

Feb 10, 2021

No, I dont have a clientssl profile on that vip. Its http, so I didn't think i would need it. Do I need it?

JRahm
Admin
Feb 10, 2021
if you have no ssl, then no. But if you are trying to serve a combination, yes.
I've been testing some different policy options and am also having issues getting it to work, whereas my very simple irule is working fine;
when CLIENT_ACCEPTED { switch [TCP::local_port] { 80 - 8080 { pool nerdlife_pool } default { reject } } }
I cannot seem to achieve the same in my policy, I get resets regardless. I'll have to do some research.
Daniel_Wolf
MVP
Feb 10, 2021
Depends. Do you have a HTTP profile attached to the VS? In that case, yes you need one.
In case a VS processing the encrypted traffic is configured with an HTTP profile and no clientssl profile is attached, the connection will fail. And you would need to configure the abovementioned settings regarding non-ssl connections.
Also if the pool members in test-pool-443-f5 are https, you will need a serverssl profile.
If you do only L4 load balancing... I would need to do some testing to figure out why the Traffic Policy isn't working as expected.
Racquel_Mays
Employee
Feb 10, 2021
Ok, not just me :) Yea, I know an irule will work. However, leadership is heavily against using iRules to achieve this portion of the configuration. Their thought, is if the A10 does it, F5 should do the same or similar....
Racquel_Mays
Employee
Feb 11, 2021
These are good points, yes, this vip will be handling both http/https connections so I will configure those as well. I have both profiles created (custom for specific needs). We are not doing L4 Load Balancing. Will update with results.