Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

LTM HTTP explicit forward proxy and route domains

Hi,

I have a simple lab setup for LTM + http explicit forward proxy no SSL interception just CONNECT handling. When I test this in a single route domain it works OK. I have a requirement to use a different route domain for the egress traffic. So I config the egress VLAN/Self IP/SNAT and explicit proxy in the HTTP profile into the new RD1. I setup a default route in the RD1 and leave a single static route in RD0 for my client traffic. Now when I test I can see the DNS resolver working ok through the egress VLAN/RD1 but I get a 503 after that from the F5, no server side traffic is seen in tcpdumps, just DNS. I checked the HTTP packets sent back to the client and see a connection failed as well as the 503

After troubleshooting I was able to get this to work by changing the RD1 parent name from 'none' to '0' the default partition. I can't figure out why I need to have the parent set to 0, when the only route in that RD is a static route for the client traffic and why this would make the connection fail otherwise?

Any ideas?

thanks

0
Rate this Question
Comments on this Question
Comment made 07-Jun-2018 by andrew 195

Hi I just ran into this, but I didn't have anything configured in route domain 0. The result was I was getting instant 503's.

I figure I would post a reply because I found this via google, so other people might as well :).

What I found confusing is that regular http traffic worked just fine, it was only Proxy CONNECT that was failing. After bashing my head against a wall for a few hours, I finally notices that within the explicitly proxy profile their is a field for route domain which defaults to 0. AS you can guess the second I changed it all was good.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Not sure if this answers your question but from:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-administration-11-4-1/2.html?sr=53367747

A route domain ID is a unique numerical identifier for a route domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %ID to the IP address.

The format required for specifying a route domain ID in an object’s IP address is A.B.C.D%ID, where ID is the ID of the relevant route domain. For example, both the local traffic node object 10.10.10.30%2 and the pool member 10.10.10.30%2:80 pertain to route domain 2.

The BIG-IP system includes a default route domain with an ID of 0. If you do not explicitly create any route domains, all routes on the system pertain to route domain 0.

Important: A route domain ID must be unique on the BIG-IP system; that is, no two route domains on the system can have the same ID.

Hope that helps?

ps

0
Comments on this Answer
Comment made 27-Apr-2016 by arpydays 1247
Hi Peter, thanks for the info. I'm familiar with RDs but haven't used them with the forward proxy, just seems weird behaviour that I need a parent association to RD0 for RD1 in my particular case when there are no routes of interest in RD0 to allow the egress traffic to flow out RD1.
0