Select ServerSSL Profile using VS Policy in TMOS 13.1: ERROR: an action precedes its conditions.
This concerns LTM on TMOS 13.1.0.2:
We are configuring a virtual server with TLS SNI support (for example: site1.example.com and site2.example.com are using the same virtual server).
We need to load balance traffic for site1(.example.com) to pool1; and traffic for site2 to pool2. I have configured a Local Traffic Policy to do this (I don't want to use an iRule in this case). Matching criteria in the first policy rule is:
[SSL Extention] [server name] [is] [any of] [ site1.example.com ] at [ssl client hello] time.
The action for this matching rule is:
[Forward traffic] to [pool] [/Common/pool1] at [request] time.
This seems to work.
Now, I also want to select a specific ServerSSL profile (i.e., serverssl-site1 for site1 and serverssl-site2 for site2).
I tried to add another action to the rule like this:
[Select SSL Profile] [serverssl-site1]
However, this generates an error in the GUI:
An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/vspol-TEST', rule 'r1'; an action precedes its conditions.
I have tried many other rule matching options. I can only get the BIG-IP accept the matching action for "[Select SSL Profile]" when I remove all matching rules (hence: match all traffic). But I need to select a specific pool and ServerSSL profile based on the SNI server name (or HTTP host request header)...
What am I missing here?
How should I configure this?
Any pointers to TMOS 13 documentation on this subject? Document/guide "Local Traffic Management: Getting Started with Policies, version 13.1" does not describ the "[Select SSL Profile]" action (yet)...