09-Feb-2021 12:02
All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.
In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"
Solved! Go to Solution.
10-Feb-2021
14:40
- last edited on
05-Jun-2023
23:04
by
JimmyPackets
#facepalm...notice the hidden option on the tcp port:
mine was remote by default, changing to local fixed the issue. Working policy that should help:
ltm policy allports_testpolicy {
controls { forwarding }
last-modified 2021-02-10:16:42:35
requires { tcp }
rules {
tcp-80 {
actions {
0 {
forward
client-accepted
select
pool nerdlife_pool
}
}
conditions {
0 {
tcp
client-accepted
port
local
values { 80 }
}
}
}
tcp-8080 {
actions {
0 {
forward
client-accepted
select
pool nerdlife_pool
}
}
conditions {
0 {
tcp
client-accepted
port
local
values { 8080 }
}
}
ordinal 1
}
tcp-all-else {
actions {
0 {
shutdown
client-accepted
connection
}
}
conditions {
0 {
tcp
client-accepted
port
local
not
values { 80 8080 }
}
}
ordinal 2
}
}
status published
strategy first-match
}
09-Feb-2021 12:31
If you need the virtual server to listen on more than one port, the port should be configured as 0. If you are asking something else, please provide more details and I'll do my best to point you in the right direction.
09-Feb-2021
12:48
- last edited on
24-Mar-2022
01:30
by
li-migration
There are several ways to satisfy your requirements. I will skip all the "iRule ways", since they are not interesting for you.
As stated, you VS should listen on port 0. The LTM Traffic Policy should have default rule, like a firewall, at the end. To reject all traffic that wont match rules above.
09-Feb-2021
13:00
- last edited on
24-Mar-2022
02:13
by
li-migration
Thank you so much for you help. Im going to configure based on your suggestions and update.
10-Feb-2021
10:21
- last edited on
04-Jun-2023
21:03
by
JimmyPackets
Hello, I configured the policy. I have the pool members serve a simple web page, so I know end-to-end communication works. However, when I apply the policy I no longer get the page. However, using curl, I see that I get connected to the VIP along with GET. Instead of giving 200 OK, I get:
curl: (56) Recv failure: Connection reset by peer
* Rebuilt URL to: http://{IP Redacted}/
* Trying {IP Redacted}...
* TCP_NODELAY set
* Connected to {IP Redacted} ({IP Redacted}) port 80 (#0)
> GET / HTTP/1.1
> Host: {IP Redacted}.
> User-Agent: curl/7.54.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
10-Feb-2021 10:33
Here is what I configured, for reference.
10-Feb-2021 11:12
Ok, one step backwards. Many questions.
Did you configure health monitors? Do they show green?
Did you try curl from the F5 to the backend? Does that work?
Did you apply a server-side SSL profile to the VS?
Did you configure SNAT on the VS?
Can you run a tcpdump with -i 0.0:nnnp to see the reset cause?
10-Feb-2021 12:35
Hello,
10-Feb-2021 13:10
Do you have a clientssl profile attached to your virtual server? if so, you either need to enable Non-SSL Connections in the clientssl profile, or you need to set up your tcp port 80 rule in the policy to disable clientssl on client accepted.
10-Feb-2021 13:44
No, I dont have a clientssl profile on that vip. Its http, so I didn't think i would need it. Do I need it?
10-Feb-2021
13:54
- last edited on
04-Jun-2023
21:03
by
JimmyPackets
if you have no ssl, then no. But if you are trying to serve a combination, yes.
I've been testing some different policy options and am also having issues getting it to work, whereas my very simple irule is working fine;
when CLIENT_ACCEPTED {
switch [TCP::local_port] {
80 -
8080 { pool nerdlife_pool }
default { reject }
}
}
I cannot seem to achieve the same in my policy, I get resets regardless. I'll have to do some research.
10-Feb-2021 14:07
Depends. Do you have a HTTP profile attached to the VS? In that case, yes you need one.
In case a VS processing the encrypted traffic is configured with an HTTP profile and no clientssl profile is attached, the connection will fail. And you would need to configure the abovementioned settings regarding non-ssl connections.
Also if the pool members in test-pool-443-f5 are https, you will need a serverssl profile.
If you do only L4 load balancing... I would need to do some testing to figure out why the Traffic Policy isn't working as expected.
10-Feb-2021 14:32
Ok, not just me 🙂 Yea, I know an irule will work. However, leadership is heavily against using iRules to achieve this portion of the configuration. Their thought, is if the A10 does it, F5 should do the same or similar....
10-Feb-2021
16:46
- last edited on
24-Mar-2022
01:30
by
li-migration
These are good points, yes, this vip will be handling both http/https connections so I will configure those as well. I have both profiles created (custom for specific needs). We are not doing L4 Load Balancing. Will update with results.
10-Feb-2021
14:40
- last edited on
05-Jun-2023
23:04
by
JimmyPackets
#facepalm...notice the hidden option on the tcp port:
mine was remote by default, changing to local fixed the issue. Working policy that should help:
ltm policy allports_testpolicy {
controls { forwarding }
last-modified 2021-02-10:16:42:35
requires { tcp }
rules {
tcp-80 {
actions {
0 {
forward
client-accepted
select
pool nerdlife_pool
}
}
conditions {
0 {
tcp
client-accepted
port
local
values { 80 }
}
}
}
tcp-8080 {
actions {
0 {
forward
client-accepted
select
pool nerdlife_pool
}
}
conditions {
0 {
tcp
client-accepted
port
local
values { 8080 }
}
}
ordinal 1
}
tcp-all-else {
actions {
0 {
shutdown
client-accepted
connection
}
}
conditions {
0 {
tcp
client-accepted
port
local
not
values { 80 8080 }
}
}
ordinal 2
}
}
status published
strategy first-match
}
10-Feb-2021 15:09
This looks great! Testing now. Will update.
10-Feb-2021 17:14
It's working! I'm doing the fine tuning that Daniel spoke now. Great work. Also. Are you the one of the "F5 YouTube Stars"? You look like one of them :).
10-Feb-2021
18:12
- last edited on
24-Mar-2022
02:13
by
li-migration
In looking at this setup. SSL and non-SSL traffic will use the same VIP. I found a vulnerability, K21942600. What are the security concerns?
10-Feb-2021 18:22
implementing the workaround should cover you on traffic that should be encrypted. for the intended non-ssl traffic, that shouldn't factor into the scenario.
And yes, I do a fair amount of youtube stuff for DevCentral, though I will walk away from any "star" talk 😀
10-Feb-2021 18:30
Thanks, again.
07-Mar-2021 12:38
I have the same requirement to implement. Request will come to 5 different and need to forward the traffic to same port by pool members.
@Jason , wondering if LTM Policy you shared is working ? Will be much appreciated if you can help.
According to last comment , did you mean intended purpose is tested with iRule but not working by a LTM Policy ? If this is right can you explain couple of query from your provided iRule ?
Is that possible to provide a sample iRule like for 3 ports ?
07-Mar-2021 15:22
From a management point of view, I personally think creating multiple Virtual Servers on separate ports is an easier and more understandable solution.
If you do want to create a single Virtual Server that listens on multiple ports, you can use a Traffic Matching Criteria on the virtual:
You have to create and assign the traffic-matching-criteria from the CLI, but you can use address lists and port lists, and can configure Source Address lists and destination address lists/destination port lists.
13-Mar-2021 05:28
I agree Simon...Client does not want to use multiple virtual server instead want to use One VIP.