layered virtual
2 TopicsAPM SSLVPN with layered virtual
Hi guys, I'm trying a new (for me), but oftenly recommended by F5 SEs, setup with layered virtuals. In my testing environment, I have only one single IP address. This is used for a standard virtual server, which will be used as some kind of a jump VS (let's call it 'VS_jump'). I've assigned an LTM policy to this VS, which forwards the traffic to different virtuals, based on the requested host header. Basically this is working finde. But I'm struggling arround with APM and SSLVPN (Network Access). The requests hit the correct VS ('VS_apm-sslvpn') with APM profile assigned and the user is able to authenticate. But after opening the PPP tunnel, it's ending in a timeout for the client. The APM log tells me, that the tunnel was directly closed: PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) started. PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. This issue only occurs, if the APM profile is bound to the forwarded virtual, 'VS_apm-sslvpn'. For testing purposes I've assigned the APM and connectivity profile to 'VS_jump' and the connection came up directly, without any issue. The message PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. only appears, when the connection is manually disabled. So my question is: Are there any known limitations to SSLVPN, when used in conjunction with layered virtuals? I'm not sure about settings like HTTP-XFF or SNAT - where shall they be set? On 'VS_jump' or 'VS_apm-sslvpn'. Unfortunately I wasn't able to find anything related to SSLVPN and layered virtuals. Any ideas? Thanks in advance. Cheers, Sven899Views0likes5CommentsIncosistent forwarding of HTTP/2 connections with layered virtual
Hi, I'm using a layered virtual configuration: Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/sni-routing-with-big-ip/282018) Tier2: Virtual applies SSL termination and delivering the actual application, with the required profiles, iRules, .... If the required, an additional LTM policy is applied for URI-based routing and forwards to Tier3 VS. Tier3 (optional, if required): Virtual delivers specific applications, like microservices, usually no monolithical apps. This configuration is very robust and I'm working with it successfully since years. Important: The tier1 uses one single IP address and a single port. So all tier2 and tier3 virtuals MUST be externally available through the same IP address and port. Now I have to publish the first HTTP/2 applications over this concept and see strange behavior of the BIG-IP. User requests www.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests, based on the SNI, to tier2 virtuals "vs-int_www.example.com". Within www.example.com there are references to piwik.example.com, which is another tier2 virtual, behind my tier1 virtual. User requests piwik.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests to "vs-int_www.example.com" instead of "vs-int_piwik.example.com". Probably not based on SNI, but on the existing TCP connection. I'm afraid, that this bahvior is a result of HTTP/2, especially because of the persistent TCP connection. I assume that, because the connection ID (gathered from browser devtools) for requests to www.example.com and piwik.example.com is identical. From the perspective of the browser I wouldn't expect such a behavior, because the target hostname differs. I didn't configure HTTP/2 in full-proxy mode, as described in several articles. I've just enabled it on the client-side. I would be very happy for any input on that. Thanks in advance!153Views0likes11Comments