LTM Policy Port redirect

Question

Hi Guy'sI currently have a VS listening on 443, all our backend servers work on 443.&nbsp;We have a new requirement where we have a backend server already operating on 443 so we need to use a different port.&nbsp;So the backend server is:Test.com:8443/xyz&nbsp;I need to browse to:Production.com/xyz&nbsp;I need to connect externally to the F5 on port 443 and I need the policy to forward the connection to the backend server using 8443.&nbsp;I have the URI rewrite configured already.&nbsp;Please see my policy rule:I get connection reset every time I browse to the url&nbsp;&nbsp;

paulius · Answer

Kalido To make sure I understand the request. You have a virtual server (VS) with lets say IP 10.10.10.10 and listening on port 443 performing SSL termination with a client SSL profile. You also have a pool associated to this VS and it has pool memebers lets say 10.10.11.20:443 and 10.10.11.21:443 and the VS has a server SSL profile to encrypt the traffic and send it to those pool members. Now you would like requests for URI path /xyz to go only to a 10.10.11.21 but on port 8443 instead of 443 which it is already listening on? If that is the case I would create another pool with a name that makes sense to you with the pool member 10.10.11.21:8443 and then choose the "Forward Traffic" to be pool and select the new pool that you created for this purpose. I would like to note that you must have both client and server SSL profiles configured under the VS and an HTTP profile in order for this to work. If you do not have those three pieces configured this will not work.

kalido · Answer

Hi Paulius,You have it 90%.&nbsp;So I don't use pool's I use LTM policy to forward traffic depending on a specific URI in the URL.For example:/abc/ -&gt; forward to node 10.10.11.20/def/ -&gt; forward to node 10.10.11.21Etc.This server is running something on 443 already as you mentioned so the new application will need to run on 8443.So as you can see from my ltm policy above, I have told it when a external user connects to the VS on 443 as they should the F5 to the backend should be 8443.However I just get connection reset, I am not 100% sure what you mean by client and server SSL profile, I believe I have that setup correctly because for 443 the SSL works fine.&nbsp;&nbsp;Not sure I have a HTTP profile configured, what would this do for this situation ?&nbsp;

paulius · Answer

Kalido Understood on your configuration setup. I would recommend moving away from sending traffic to a specific node because this messes with any persistence that you might want to configure. You really should have a pool configured for each path that you are going to balance traffic for and use the forward to pool option instead. Using pools will ensure that persistence functions as expected, allows you to add additional members for a specific URI path or Host field without much of a change to the virtual server, and finally this allows you to run health monitors at a level that doesn't effect the entire node if by chance this node is working for one URI path or Host field but not others.
In regards to client and server SSL profile, this configuration can be found under the VS with labels SSL Profile (Client) and the other as SSL Profile (Server). For the HTTP profile you can also see that under the virtual server and the configuration box says HTTP Profile next to it. Based on your previous statment you would have to have 1 or both SSL profiles and an HTTP profile configured already for it to be working for other URI paths so probably something you don't have to worry about but you can verify what is configured.
Now in regards to 8443 if you run the following tcpdump you should be able to see if the F5 is issuing the reset or if it's the server. Most likely based on your description it is the server issuing the reset which typically means the server is either blocking because of a local OS firewall rule, the server isn't listening on 8443, or the server isn't expecting HTTPS traffic on port 8443. By "&lt;f5_selfIP_closest to serverIP&gt;" this would be the interface the traffic leaves the F5 on when attempting to reach the destination node. Replace the entirety of the pieces below from &lt; to &gt; for the appropriate IP.
&nbsp;
tcpdump -nni 0.0:nnp host &lt;f5_selfIP_closest to serverIP&gt; and host &lt;nodeIP&gt; and port 8443
&nbsp;
The following is an example of what the command would look like if the selfIP of the F5 was 10.10.10.1 and the destination node IP is 10.10.20.30.
&nbsp;
tcpdump -nni 0.0:nnp host 10.10.10.1 and host 10.10.20.30 and port 8443
&nbsp;
Hopefully this all makes sense and helps you resolve the issue at hand.

kalido · Answer

I can also see that traffic is getting to the backend server, I can see packets in but I can't see packets out:

So the inital connection is getting there, what would your thought be regarding this situation?

kalido · Answer

Sorry for my stupidity, I managed to get it working.&nbsp;I got the following:tcpdump -nni 0.0:nnp host 10.205.1.106 and host 10.110.64.155 and port 8443tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on 0.0:nnp, link-type EN10MB (Ethernet), capture size 65535 bytes16:25:30.986824 IP 10.205.1.106.55733 &gt; 10.110.64.155.8443: Flags [S], seq 3607107882, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=128 flowid=400001593C00 peerid=400001593B00 conflags=4000024 inslot=63 inport=23 haunit=1 priority=316:25:33.986178 IP 10.205.1.106.55733 &gt; 10.110.64.155.8443: Flags [S], seq 3607107882, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=128 flowid=400001593C00 peerid=400001593B00 conflags=4000024 inslot=63 inport=23 haunit=1 priority=316:25:36.986029 IP 10.205.1.106.55733 &gt; 10.110.64.155.8443: Flags [S], seq 3607107882, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=128 flowid=400001593C00 peerid=400001593B00 conflags=4000024 inslot=63 inport=23 haunit=1 priority=316:25:39.985971 IP 10.205.1.106.55733 &gt; 10.110.64.155.8443: Flags [S], seq 3607107882, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=128 flowid=400001593C00 peerid=400001593B00 conflags=4000024 inslot=63 inport=23 haunit=1 priority=316:25:42.986437 IP 10.205.1.106.55733 &gt; 10.110.64.155.8443: Flags [R.], seq 3607107883, ack 0, win 0, length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=128 flowid=400001593C00 peerid=0 conflags=4800024 inslot=63 inport=23 haunit=1 priority=3 rst_cause="[0x2f12c21:14654] TCP retransmit timeout"16:25:42.986521 IP 10.205.1.113.443 &gt; 10.110.2.13.55733: Flags [R.], seq 2881807635, ack 2784234891, win 0, length 0 out slot1/tmm0 lis=/Common/VS-AZURE1-TT port=1.2 trunk= flowtype=64 flowid=400001593B00 peerid=0 conflags=4800024 inslot=63 inport=23 haunit=1 priority=3 rst_cause="[0x2f12c21:14654] {peer} TCP retransmit timeout"&nbsp;Does anything here scream where the issue is here?

Forum Discussion

LTM Policy Port redirect

8 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Policy to forward to a range of ports

LTM Policy

Setup a Reverse Proxy that redirects to internal port

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator