LTM Policy to select pool based on TCP port is not working

Mahi · ‎01-Apr-2020

Hello Everyone,

We are trying to do a POC where there is one Virtual Server listening on port '0' (basically all ports) and we would want to select the pool based on the remote port number using LTM Policy, however, its is not working. Any help on this please.

For example

http://192.168.1.25:45000 select pool WebApp_Odessa

http://192.168.1.25:45005 select pool WebApp_Jasper

We did set up the policy as below.

TCP port is '45000' at client accepted time.

Forward traffic to pool '/Common/WebApp_Odessa' at client accepted time.

TCP port is '45005' at client accepted time.

Forward traffic to pool '/Common/WebApp_Jasper' at client accepted time.

Dario_Garrido · ‎01-Apr-2020

Hello Mahi.

It's not necessary to configure a policy.

You could configure 3 VS like this:

A.B.C.D:45000

A.B.C.D:45005

A.B.C.D:0

REF - https://support.f5.com/csp/article/K14800

KR,

Dario.

Regards,
Dario.

Mahi · ‎01-Apr-2020

Thanks Dario, we tried that solution and its working.

For some reason, we need only one VIP and not use an iRule. Therefore, we decided to go via the policy route.

Dario_Garrido · ‎02-Apr-2020

Hello Mahi.

Configure 3 VS is faster than configure a policy.

Anyway, I've tested in my lab and it's working fine using forward to pool (with "local - external" and automap)

ltm policy Policy_Test {
    controls { forwarding }
    last-modified 2020-04-02:09:07:31
    requires { http tcp }
    rules {
        redirect {
            actions {
                0 {
                    forward
                    select
                    pool P-WEB_80
                    snat automap
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    local
                    values { 80 }
                }
            }
        }
    }
    status published
    strategy first-match
}

KR,

Dario.

Regards,
Dario.

Mahi · ‎02-Apr-2020

Dario;

I checked the configuration and its exactly the same with difference of 'snat automap' and 'local' being not there. I guess the automap will be effective since its declared in the Virtual Server configuration.

I am seeing a 'Reset' packet from the virtual server with the reason 'No server selected' in the packet capture. Somehow the policy is not kicking in. Any thoughts?

PeteWhite · ‎02-Apr-2020

Ok, local needs to be there. As you say, don’t worry about snat

Dario_Garrido · ‎02-Apr-2020

options "local, external" are required. Automap (snat) depends of your topology.

Regards,
Dario.

PeteWhite · ‎02-Apr-2020

The policy which Dario has posted above is what you want. If you can let us know in more detail what exactly is not working then that would help. For debugging purposes, I would add a log statement to show that you are hitting the ltm policy, maybe it is something else in the setup which is not working.

Mahi · ‎02-Apr-2020

Hello Pete,

The solution of different virtual servers is what we tried and it worked. The design team want to reduce the number of virtual servers and use policies for some reason.

I am seeing a 'Reset' packet from the virtual server with the reason 'No server selected' in the packet capture. Somehow the policy is not kicking in. Any thoughts?

PeteWhite · ‎02-Apr-2020

Hi Mahi, Can you either post your LTM policy here, or compare it to the example shown above.

Mahi · ‎02-Apr-2020

ltm policy _WebApp_port_based_pool_selection {
    controls { forwarding }
    description "Pool selection based on destination port for WebApp only"
    last-modified 2020-04-02:08:28:15
    requires { http tcp }
    rules {
        odessa.company.pvt {
            actions {
                0 {
                    forward
                    select
                    pool WebApp_odessa.company.pvt
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 40000 }
                }
            ordinal 2
        }
        jasper.company.pvt {
            actions {
                0 {
                    forward
                    select
                    pool WebApp_jasper.company.pvt
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 40005 }
                }
            }
        }
        xyz.com {
            actions {
                0 {
                    forward
                    select
                    pool AzureWebApp_xyz
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 55000 }
                }
            }
            ordinal 1
        }
    }
    status published
    strategy all-match
}
(END)

PeteWhite · ‎02-Apr-2020

I can see the problem – you are checking on the remote port, not the local port. In the rule, click the Options gear icon on the right and change it to local. Hit Done. Test it. Buy me a beer [cid:image001.jpg@01D60912.F1827B90]

Dario_Garrido · ‎02-Apr-2020

Another one here 🙂

Regards,
Dario.

Mahi · ‎02-Apr-2020

Guess what, that fixed the problem. 🙂

I was under assumption as remote port = destination port.

Surely buy you a beer when this lockdown thing is over. Thank you so much for the help.

PeteWhite · ‎02-Apr-2020

You’re very welcome. Tell you what – buy me a beer and have it yourself 😊

DevCentral

LTM Policy to select pool based on TCP port is not working

Sep 26th, 2023
MFA required on DevCentral

DevCentral

LTM Policy to select pool based on TCP port is not working

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral