Forum Discussion

Stanislas_Piron's avatar
Stanislas_Piron
Icon for Nimbostratus rankNimbostratus
Aug 28, 2017

F5 Local traffic policy / wrong requirement!

Hi,

I worked on a customer deployment where we wanted to create a virtual server to dispatch HTTPS requests to internal virtual servers based on Host header.

In version 13.0, there is a condition

ssl-extension server-name
.I thought Great, I can create the main VS without HTTP profile and filter based SNI extension

So I tried to create a ltm policy with rules like:

  • condition : Server name equals "mysite1.company.com"
  • action : forward virtual server VS-mysite1.company.com

And tried to assign it to the VS with only ClientSSL profile. I can't because of policy requirements... When I looked in policy configuration in tmsh, the policy requires

http ssl-persistence
which is weird when I look the rule configuration.

In versions 11.X, this configuration was manual but starting with version 12, this is created automatically when selecting rule conditions and actions. I didn't checked if the requirements selected is also wrong in v12.

I so tried to create a policy and looked the generated configuration in TMSH

policy without rule

ltm policy Drafts/bug_policy_requires {
    last-modified 2017-08-28:18:36:02
    status draft
    strategy first-match
}

Policy with one rule assigning pool without condition

ltm policy Drafts/bug_policy_requires {
    controls { forwarding }
    last-modified 2017-08-28:18:37:17
    requires { http }
    rules {
        rule_no_condition {
            actions {
                0 {
                    forward
                    select
                    pool Pool_icap
                }
            }
        }
    }
    status draft
    strategy first-match
}

what configuration in this rule requires

http
???

Policy with one rule assigning pool and with SNI condition

ltm policy Drafts/bug_policy_requires {
    controls { forwarding }
    last-modified 2017-08-28:18:38:20
    requires { http ssl-persistence }
    rules {
        rule_condition_sni {
            actions {
                0 {
                    forward
                    select
                    pool pool_ad_http
                }
            }
            conditions {
                0 {
                    ssl-extension
                    ssl-client-hello
                    server-name
                    values { test.company.com }
                }
            }
            ordinal 1
        }
        rule_no_condition {
            actions {
                0 {
                    forward
                    select
                    pool Pool_icap
                }
            }
        }
    }
    status draft
    strategy first-match
}

Why

ssl-persistence
and not
client-ssl
condition which may be the best requirement?

  • Hi, Did you find any answer for this? Im also confused about this requirement. (My customer has APM based license so SSL Persistence is even not an option for us)

     

  • Eric Chen answered this question in the article SNI Routing with BIG-IP

     

    the http requirement was caused by the default "request time" I used in forward pool action... changing to "SSL client hello time" solved this...

     

    the ssl-persistence requirement means at least one ssl aware profile must be enabled to support "SSL client hello time" events... ssl-persistence or client-ssl are supported (explained in the article)

     

    If SSL persistence is not available in Non-LTM standalone products, use this code.