Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BIG-IP WAF Causes WSS Connections to Stall

AceHunter1965
Altostratus
Altostratus

‎17-Jun-2023 06:49

Hey all!

We've been using BIG-IP in our company as a gateway to the entire network, and we have multiple inner hosts that are proxyed by it.

All connections using HTTPS/WSS are passed through a WAF policy that has most of the signatures enabled, but we've recognized a problem with WebSocket connections:

Any WebSocket connection created from a browser (Chrome) that goes through the WAF policy is stalled, with the status showing as "Pending" indefinitely. It doesn't look like BIGIP outright blocks the connection, since there is no event log for it, but if the connection is setup to bypass the WAF policy (by disabling ASM in an iRule), it works well.

I'd appreciate any help in troubleshooting the problem, if anyone has faced it before. We are using BIGIP 15.1.5.1.

Labels:
0 Kudos
6 REPLIES 6

Mohamed_Ahmed_Kansoh
MVP
MVP

‎18-Jun-2023 02:07

Hi @AceHunter1965 , 
I recommend to add an explicit Web socket URI Entities , to Let Bigip AWAF parse and deal with it properly. 

So identify your Websocket URIs and add them explicitly , use the below Article  : 
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/28.h...

But you need to enable your event Log to see traffic behavior after adding these entities. 

_______________________
Regards
Mohamed Kansoh
0 Kudos

AceHunter1965
Altostratus
Altostratus
In response to Mohamed_Ahmed_Kansoh

‎28-Jun-2023 13:37

Hey,

Seems like adding the websocket URI has no visible effect on the problem

0 Kudos

Juergen_Mang
MVP
MVP

‎19-Jun-2023 06:08

When this problem occurs there is usually no websocket profile attached to the virtual server.

Reference: https://my.f5.com/manage/s/article/K35603146

0 Kudos

AceHunter1965
Altostratus
Altostratus
In response to Juergen_Mang

‎28-Jun-2023 13:38

Hey,

We've added a websocket profile before encountering the error, and it persists even after trying all websocket masking options.

0 Kudos

Leslie_Hubertus
Community Manager
Community Manager

‎26-Jun-2023 17:37

Hey @AceHunter1965  - did either of the suggestions above help you troubleshoot? If yes, could you pleae click "Accept as Solution" on the one that worked for you, or let us know if you still need assistance? 

0 Kudos

AceHunter1965
Altostratus
Altostratus
In response to Leslie_Hubertus

‎28-Jun-2023 13:39

Sorry for the lack of response from me, but I've tried all suggestions so far and still haven't managed to solve my issue 😞

0 Kudos
Copyright © 2023 Khoros, LLC