Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSLO - L3 inline device ignored

ecce
Cirrostratus
Cirrostratus

I've setup SSLO 5.3 on a VE running 14.1. It is a pure poc environment with the simplest topology possible. An inside with a client, an outside connected to internet and a Cisco ASA as a L3 inline firewall. The ASA is isolated, it only has two interfaces, both connected to BIGIP.

 

This is the bits that does work as expected:

  • the client gets server certificates generated by the BIGIP as expected.
  • Traffic gets routed though the BIGIP towards internet, the client can access random sites.
  • If I bring the ASA down, the SSL Services is marked DOWN in the SSLO Dashboard.
  • Statistics are coming in to the dashboard, including AVR.

 

This is the confusing bit that does not work as I expected:

  • There is no traffic to the VLAN leading to the ASA inside interface. tcpdump only shows BIGIP monitoring pings. So does the ASA log. So the ASA is not really in-line.
  • The client can access the internet regardless of the ASA status, although The Service Down Action is set to RESET

 

Troubleshooting done so far:

  • tcpdump shows traffic coming into the inside VLAN.
  • tcpdump shows traffic leaving the outside VLAN, SNATed using automap. Return traffic looks as expected.
  • tcpdump shows NO TRAFFIC at all on the VLANs connecting the ASA
  • ping works between BIGIP and ASA, both ways on both VLANs
  • ASA default routes traffic to BIGIP interface 198.19.64.245/25 and 10.0.0.0/8 to the interface 198.19.64.7/25. The default IPs.
  • ASA has not ACLs configured.
  • BIGIP has AFM provisioned. Default action for VS is set to ALLOWED

 

 

All the settings is pretty much the default settings. Pinning sites are bypassed, everything else is set to inspect by the only chain that exist (containing the ASA). I've been going over the settings about 10 times now, I cannot see anything obviously wrong.

 

Any ideas?

0 REPLIES 0