Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Use LTM Policies to Create a VIP listening on Specific Ports

Racquel_Mays
F5 Employee
F5 Employee

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.

 

In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"

1 ACCEPTED SOLUTION

JRahm
Community Manager
Community Manager

#facepalm...notice the hidden option on the tcp port:

0691T00000BV8cdQAD.pngmine was remote by default, changing to local fixed the issue. Working policy that should help:

ltm policy allports_testpolicy {
    controls { forwarding }
    last-modified 2021-02-10:16:42:35
    requires { tcp }
    rules {
        tcp-80 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 80 }
                }
            }
        }
        tcp-8080 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 8080 }
                }
            }
            ordinal 1
        }
        tcp-all-else {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    not
                    values { 80 8080 }
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}

View solution in original post

22 REPLIES 22

JRahm
Community Manager
Community Manager

If you need the virtual server to listen on more than one port, the port should be configured as 0. If you are asking something else, please provide more details and I'll do my best to point you in the right direction.

There are several ways to satisfy your requirements. I will skip all the "iRule ways", since they are not interesting for you.

As  stated, you VS should listen on port 0. The LTM Traffic Policy should have default rule, like a firewall, at the end. To reject all traffic that wont match rules above.

 

0691T00000BV5SVQA1.png

Racquel_Mays
F5 Employee
F5 Employee

  Thank you so much for you help. Im going to configure based on your suggestions and update.

Racquel_Mays
F5 Employee
F5 Employee

Hello, I configured the policy. I have the pool members serve a simple web page, so I know end-to-end communication works. However, when I apply the policy I no longer get the page. However, using curl, I see that I get connected to the VIP along with GET. Instead of giving 200 OK, I get:

curl: (56) Recv failure: Connection reset by peer

* Rebuilt URL to: http://{IP Redacted}/
*   Trying {IP Redacted}...
* TCP_NODELAY set
* Connected to {IP Redacted} ({IP Redacted}) port 80 (#0)
> GET / HTTP/1.1
> Host:  {IP Redacted}.
> User-Agent: curl/7.54.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Racquel_Mays
F5 Employee
F5 Employee

Here is what I configured, for reference.

 

0691T00000BV7saQAD.png

Ok, one step backwards. Many questions.

Did you configure health monitors? Do they show green?

Did you try curl from the F5 to the backend? Does that work?

Did you apply a server-side SSL profile to the VS?

Did you configure SNAT on the VS?

Can you run a tcpdump with -i 0.0:nnnp to see the reset cause?

Racquel_Mays
F5 Employee
F5 Employee

Hello,

 

  1. Did you configure health monitors?
    1. Health monitors on the pool ; pools are Green
  2.  Curl from the F5 to the backend
    1. works, to individual pool members
  3. Did you apply a server-side SSL profile to the VS
    1. No
  4. Did you configure SNAT on the VS
    1. Yes
  5. Resets are coming from the Virtual Server IP, itself.

JRahm
Community Manager
Community Manager

Do you have a clientssl profile attached to your virtual server? if so, you either need to enable Non-SSL Connections in the clientssl profile, or you need to set up your tcp port 80 rule in the policy to disable clientssl on client accepted.

No, I dont have a clientssl profile on that vip. Its http, so I didn't think i would need it. Do I need it?

if you have no ssl, then no. But if you are trying to serve a combination, yes.

I've been testing some different policy options and am also having issues getting it to work, whereas my very simple irule is working fine;

when CLIENT_ACCEPTED {
  switch [TCP::local_port] {
    80 -
    8080  { pool nerdlife_pool }
    default { reject }
  }
}

I cannot seem to achieve the same in my policy, I get resets regardless. I'll have to do some research.

Depends. Do you have a HTTP profile attached to the VS? In that case, yes you need one.

In case a VS processing the encrypted traffic is configured with an HTTP profile and no clientssl profile is attached, the connection will fail. And you would need to configure the abovementioned settings regarding non-ssl connections.

Also if the pool members in test-pool-443-f5 are https, you will need a serverssl profile.

If you do only L4 load balancing... I would need to do some testing to figure out why the Traffic Policy isn't working as expected.

Ok, not just me 🙂 Yea, I know an irule will work. However, leadership is heavily against using iRules to achieve this portion of the configuration. Their thought, is if the A10 does it, F5 should do the same or similar....

 

 These are good points, yes, this vip will be handling both http/https connections so I will configure those as well. I have both profiles created (custom for specific needs). We are not doing L4 Load Balancing. Will update with results.

JRahm
Community Manager
Community Manager

#facepalm...notice the hidden option on the tcp port:

0691T00000BV8cdQAD.pngmine was remote by default, changing to local fixed the issue. Working policy that should help:

ltm policy allports_testpolicy {
    controls { forwarding }
    last-modified 2021-02-10:16:42:35
    requires { tcp }
    rules {
        tcp-80 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 80 }
                }
            }
        }
        tcp-8080 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 8080 }
                }
            }
            ordinal 1
        }
        tcp-all-else {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    not
                    values { 80 8080 }
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}

This looks great! Testing now. Will update.

It's working! I'm doing the fine tuning that Daniel spoke now. Great work. Also. Are you the one of the "F5 YouTube Stars"? You look like one of them :).

Racquel_Mays
F5 Employee
F5 Employee

  In looking at this setup. SSL and non-SSL traffic will use the same VIP. I found a vulnerability, K21942600. What are the security concerns?

 

implementing the workaround should cover you on traffic that should be encrypted. for the intended non-ssl traffic, that shouldn't factor into the scenario.

 

And yes, I do a fair amount of youtube stuff for DevCentral, though I will walk away from any "star" talk 😀

Racquel_Mays
F5 Employee
F5 Employee

Thanks, again.

 

Subrun
Cirrostratus
Cirrostratus

@Jason Rahm

 

I have the same requirement to implement. Request will come to 5 different and need to forward the traffic to same port by pool members.

 

@Jason , wondering if LTM Policy you shared is working ? Will be much appreciated if you can help.

 

According to last comment , did you mean intended purpose is tested with iRule but not working by a LTM Policy ? If this is right can you explain couple of query from your provided iRule ?

 

  1. when CLIENT_ACCEPTED {
  2. switch [TCP::local_port] {
  3. 80 - >>>>> What is means - , purpose of it
  4. 8080 { pool nerdlife_pool } >>>>> What is means - , purpose of it
  5. default { reject } >>>> Whats the reason Reject was set ?
  6. }
  7. }

 

Is that possible to provide a sample iRule like for 3 ports ?

Simon_Blakely
F5 Employee
F5 Employee

From a management point of view, I personally think creating multiple Virtual Servers on separate ports is an easier and more understandable solution.

 

If you do want to create a single Virtual Server that listens on multiple ports, you can use a Traffic Matching Criteria on the virtual:

 

ltm traffic matching criteria

 

You have to create and assign the traffic-matching-criteria from the CLI, but you can use address lists and port lists, and can configure Source Address lists and destination address lists/destination port lists.

I agree Simon...Client does not want to use multiple virtual server instead want to use One VIP.