Forum Discussion

tatmotiv's avatar
tatmotiv
Icon for Cirrostratus rankCirrostratus
Jun 11, 2018

Use internal virtual for ICAP forwarding into another route-domain

Hi everybody,

 

I'm currently facing the following challenge: I need to pass incoming requests for an http virtual to external AV scanners using ICAP. The ICAP servers are already defined as an ICAP pool with associated vip in one partition on my BigIP (being accessible for ICAP clients anywhere in the network).

 

Now I need to access the same ICAP vip/pool from another (http) virtual on the same BigIP using a request adapt profile. The clue: the http virtual is located in a different partition than the ICAP virtual and each partition uses an own (non-default) route domain for separation purposes.

 

To overcome this, I was thinking about a setup like depicted here: http://www.plantuml.com/plantuml/png/RLBBJiCm4BpxAqQzjrLpv83QYWiNL04tX2gtte15uWr-K2JKVoSsmQdYth8pwzdPpAwTbzQ7jX6TF7x8Dy9irmFQQpROO0dBmHCKjr8Rh6Ru4NsJyJZHOV-bkukgOsukIiEALfEw6cfjF5aZcxq-oYxBJF0iM11HIWm6CB_Dqt43HRKCZKTwc_5vRCgUhiBLA3YFU66n5xVq6SZvlLIoywBiA9ub5oLKDgQD37k2vmvSuwNaNmM0rFCk7Uvta4fPSYx2N2Exq0OfGZROOXdPnvJXtL-6bI2ZeiumyC3USrlCJ5ffP73ayFImUKRoNhEDQAs_IS5ni4VgpOoYvskNj9rUKZLUqkG6fj7d_LTJe18NVpw_AwvW95AkMQuWiknvc5HhIoVPDA8C0ul5IFz_H31lioQZGjly0W00

 

However, when trying to configure this, I immediately faced the first problem: internal servers always are created in route domain 0, regardless of the default route domain for the partition. Since there is no way to define the destination of an internal virtual, I also cannot override this by adding a %n suffix to the destination. Of course, I could create the internal ICAP vip and pool in the Common partition (thus using RD 0), but I do not have any IP addresses or routing configured in RD 0, so I cannot control how the traffic flow from the BigIP to the ICAP service would be (besides the fact that this would break my whole concept of having separate domains and partitions for sets of applications).

 

Maybe I'm misunderstanding the proper use of internal servers? Does anybody know a way to define internal virtuals outside route domain 0?

 

Do you have general objections in regard to the planned setup or any suggestions on how to do it instead? Any hints are welcome. Thanks in advance!

 

Martin

 

application delivery
BIG-IP
LTM

2 Replies

Sort By
  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Jun 11, 2018

    UPDATE: In the meantime, I found out that although it is not possible to create an internal virtual outside route domain 0 (neither in the web GUI, nor using tmsh), it is possible to modify an internal virtual to use another route-domain using tmsh afterwards.

     

    Oddly, you can even reference another RD during virtual creation in tmsh (using the %nnn suffix), but this is ignored by the BigIP - the internal virtual will nevertheless be created in RD0 (without any error or warning). Looks like a bug to me...

     

  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2018

    UPDATE 2 (just in case anybody should stumble upon this question in the future):

     

    I opened a support case with f5 in order to clarify this. I received the answer that this is a purely cosmetic issue. Some virtual settings are ignored when the virtual is of type "internal". Those settings are (according to f5 support):

     

    • destination (including route domain)
    • source
    • VLANs / vlans-enabled settings

    SNAT on the other hand works as desired, so I could easily build the setup as described above (and it also works).