Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Use LTM Policies to Create a VIP listening on Specific Ports

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎09-Feb-2021 12:02

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.

 

In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
JRahm
Community Manager
Community Manager

‎10-Feb-2021 14:40

#facepalm...notice the hidden option on the tcp port:

0691T00000BV8cdQAD.pngmine was remote by default, changing to local fixed the issue. Working policy that should help:

 

ltm policy allports_testpolicy { controls { forwarding } last-modified 2021-02-10:16:42:35 requires { tcp } rules { tcp-80 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 80 } } } } tcp-8080 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 8080 } } } ordinal 1 } tcp-all-else { actions { 0 { shutdown client-accepted connection } } conditions { 0 { tcp client-accepted port local not values { 80 8080 } } } ordinal 2 } } status published strategy first-match }

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

View solution in original post

0 Kudos
22 REPLIES 22

Go to solution
JRahm
Community Manager
Community Manager

‎09-Feb-2021 12:31

If you need the virtual server to listen on more than one port, the port should be configured as 0. If you are asking something else, please provide more details and I'll do my best to point you in the right direction.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎09-Feb-2021 12:48 - last edited on ‎24-Mar-2022 01:30 by Fog

There are several ways to satisfy your requirements. I will skip all the "iRule ways", since they are not interesting for you.

As  stated, you VS should listen on port 0. The LTM Traffic Policy should have default rule, like a firewall, at the end. To reject all traffic that wont match rules above.

 

0691T00000BV5SVQA1.png

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎09-Feb-2021 13:00 - last edited on ‎24-Mar-2022 02:13 by Fog

  Thank you so much for you help. Im going to configure based on your suggestions and update.

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎10-Feb-2021 10:21

Hello, I configured the policy. I have the pool members serve a simple web page, so I know end-to-end communication works. However, when I apply the policy I no longer get the page. However, using curl, I see that I get connected to the VIP along with GET. Instead of giving 200 OK, I get:

curl: (56) Recv failure: Connection reset by peer

* Rebuilt URL to: http://{IP Redacted}/ * Trying {IP Redacted}... * TCP_NODELAY set * Connected to {IP Redacted} ({IP Redacted}) port 80 (#0) > GET / HTTP/1.1 > Host: {IP Redacted}. > User-Agent: curl/7.54.0 > Accept: */* > * Recv failure: Connection reset by peer * stopped the pause stream! * Closing connection 0 curl: (56) Recv failure: Connection reset by peer

 

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎10-Feb-2021 10:33

Here is what I configured, for reference.

 

0691T00000BV7saQAD.png

0 Kudos

Go to solution
Daniel_Wolf
Nacreous
Nacreous
In response to Racquel_Mays

‎10-Feb-2021 11:12

Ok, one step backwards. Many questions.

Did you configure health monitors? Do they show green?

Did you try curl from the F5 to the backend? Does that work?

Did you apply a server-side SSL profile to the VS?

Did you configure SNAT on the VS?

Can you run a tcpdump with -i 0.0:nnnp to see the reset cause?

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎10-Feb-2021 12:35

Hello,

 

  1. Did you configure health monitors?
    1. Health monitors on the pool ; pools are Green
  2.  Curl from the F5 to the backend
    1. works, to individual pool members
  3. Did you apply a server-side SSL profile to the VS
    1. No
  4. Did you configure SNAT on the VS
    1. Yes
  5. Resets are coming from the Virtual Server IP, itself.
0 Kudos

Go to solution
JRahm
Community Manager
Community Manager

‎10-Feb-2021 13:10

Do you have a clientssl profile attached to your virtual server? if so, you either need to enable Non-SSL Connections in the clientssl profile, or you need to set up your tcp port 80 rule in the policy to disable clientssl on client accepted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee
In response to JRahm

‎10-Feb-2021 13:44

No, I dont have a clientssl profile on that vip. Its http, so I didn't think i would need it. Do I need it?

0 Kudos

Go to solution
JRahm
Community Manager
Community Manager
In response to Racquel_Mays

‎10-Feb-2021 13:54

if you have no ssl, then no. But if you are trying to serve a combination, yes.

 

I've been testing some different policy options and am also having issues getting it to work, whereas my very simple irule is working fine;

 

when CLIENT_ACCEPTED { switch [TCP::local_port] { 80 - 8080 { pool nerdlife_pool } default { reject } } }

I cannot seem to achieve the same in my policy, I get resets regardless. I'll have to do some research.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
Daniel_Wolf
Nacreous
Nacreous
In response to Racquel_Mays

‎10-Feb-2021 14:07

Depends. Do you have a HTTP profile attached to the VS? In that case, yes you need one.

In case a VS processing the encrypted traffic is configured with an HTTP profile and no clientssl profile is attached, the connection will fail. And you would need to configure the abovementioned settings regarding non-ssl connections.

Also if the pool members in test-pool-443-f5 are https, you will need a serverssl profile.

If you do only L4 load balancing... I would need to do some testing to figure out why the Traffic Policy isn't working as expected.

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee
In response to Racquel_Mays

‎10-Feb-2021 14:32

Ok, not just me 🙂 Yea, I know an irule will work. However, leadership is heavily against using iRules to achieve this portion of the configuration. Their thought, is if the A10 does it, F5 should do the same or similar....

 

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee
In response to Racquel_Mays

‎10-Feb-2021 16:46 - last edited on ‎24-Mar-2022 01:30 by Fog

 These are good points, yes, this vip will be handling both http/https connections so I will configure those as well. I have both profiles created (custom for specific needs). We are not doing L4 Load Balancing. Will update with results.

0 Kudos

Go to solution
JRahm
Community Manager
Community Manager

‎10-Feb-2021 14:40

#facepalm...notice the hidden option on the tcp port:

0691T00000BV8cdQAD.pngmine was remote by default, changing to local fixed the issue. Working policy that should help:

 

ltm policy allports_testpolicy { controls { forwarding } last-modified 2021-02-10:16:42:35 requires { tcp } rules { tcp-80 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 80 } } } } tcp-8080 { actions { 0 { forward client-accepted select pool nerdlife_pool } } conditions { 0 { tcp client-accepted port local values { 8080 } } } ordinal 1 } tcp-all-else { actions { 0 { shutdown client-accepted connection } } conditions { 0 { tcp client-accepted port local not values { 80 8080 } } } ordinal 2 } } status published strategy first-match }

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee
In response to JRahm

‎10-Feb-2021 15:09

This looks great! Testing now. Will update.

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee
In response to Racquel_Mays

‎10-Feb-2021 17:14

It's working! I'm doing the fine tuning that Daniel spoke now. Great work. Also. Are you the one of the "F5 YouTube Stars"? You look like one of them :).

0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎10-Feb-2021 18:12 - last edited on ‎24-Mar-2022 02:13 by Fog

  In looking at this setup. SSL and non-SSL traffic will use the same VIP. I found a vulnerability, K21942600. What are the security concerns?

 

0 Kudos

Go to solution
JRahm
Community Manager
Community Manager
In response to Racquel_Mays

‎10-Feb-2021 18:22

implementing the workaround should cover you on traffic that should be encrypted. for the intended non-ssl traffic, that shouldn't factor into the scenario.

 

And yes, I do a fair amount of youtube stuff for DevCentral, though I will walk away from any "star" talk 😀

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
Racquel_Mays
F5 Employee
F5 Employee

‎10-Feb-2021 18:30

Thanks, again.

 

0 Kudos

Go to solution
Subrun
Cirrostratus
Cirrostratus

‎07-Mar-2021 12:38

@Jason Rahm

 

I have the same requirement to implement. Request will come to 5 different and need to forward the traffic to same port by pool members.

 

@Jason , wondering if LTM Policy you shared is working ? Will be much appreciated if you can help.

 

According to last comment , did you mean intended purpose is tested with iRule but not working by a LTM Policy ? If this is right can you explain couple of query from your provided iRule ?

 

  1. when CLIENT_ACCEPTED {
  2. switch [TCP::local_port] {
  3. 80 - >>>>> What is means - , purpose of it
  4. 8080 { pool nerdlife_pool } >>>>> What is means - , purpose of it
  5. default { reject } >>>> Whats the reason Reject was set ?
  6. }
  7. }

 

Is that possible to provide a sample iRule like for 3 ports ?

0 Kudos

Go to solution
Simon_Blakely
F5 Employee
F5 Employee

‎07-Mar-2021 15:22

From a management point of view, I personally think creating multiple Virtual Servers on separate ports is an easier and more understandable solution.

 

If you do want to create a single Virtual Server that listens on multiple ports, you can use a Traffic Matching Criteria on the virtual:

 

ltm traffic matching criteria

 

You have to create and assign the traffic-matching-criteria from the CLI, but you can use address lists and port lists, and can configure Source Address lists and destination address lists/destination port lists.

0 Kudos

Go to solution
Subrun
Cirrostratus
Cirrostratus
In response to Simon_Blakely

‎13-Mar-2021 05:28

I agree Simon...Client does not want to use multiple virtual server instead want to use One VIP.

0 Kudos
Copyright © 2023 Khoros, LLC