Forum Discussion

Dustin_Schueman's avatar
Dustin_Schueman
Icon for Nimbostratus rankNimbostratus
Jun 05, 2014

SNAT not working with HTTPS

I have an iRule applied to a virtual server that will allow a server behind the F5 to connect to a VIP. When I do HTTP it works fine. HTTPS doesn't work. All I see are the SYN's and never see any ACK's. Here is how everything is setup.

 

client(10.63.136.14) ---> VIP(10.63.27.124) ----> server(10.63.136.11)

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.63.136.14] and [IP::addr [IP::local_addr clientside] equals 10.63.27.124]} { snat automap } }

 

application delivery
deployment
devops
iRules
LTM

13 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 05, 2014

    can you post the virtual server configuration?

     tmsh list ltm virtual (name)
  • Dustin_Schueman's avatar
    Dustin_Schueman
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014

    ltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs { destination 10.63.27.124:https ip-protocol tcp mask 255.255.255.255 profiles { WWWINC.COM_SSL { context clientside } http { } tcp { } } rules { DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect } source 0.0.0.0/0 vlans { DMZ-Peoplesoft External } vlans-enabled vs-index 63 }

     

  • Dustin_Schueman's avatar
    Dustin_Schueman
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014
    ltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs {
destination 10.63.27.124:https
ip-protocol tcp
mask 255.255.255.255
profiles {
    WWWINC.COM_SSL {
        context clientside
    }
    http { }
    tcp { }
}
rules {
    DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT
    DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect
}
source 0.0.0.0/0
vlans {
    DMZ-Peoplesoft
    External
}
vlans-enabled
vs-index 63

    }

  • Domai's avatar
    Domai
    Icon for Altostratus rankAltostratus
    Jun 05, 2014

    Just for the heck of it can you remove the irule and assign SNAT to your https VS and see if that works. Also you are sending the traffic to the members listening on port 80 correct since you are not using server side ssl...you are terminating the SSL at LTM itself?

     

  • Dustin_Schueman's avatar
    Dustin_Schueman
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014

    Still didn't work. Here is the config.

    ltm virtual DIGITALMEDIAHUBTEST-PW.WWWINC.COM_HTTP_443_vs {
destination 10.63.27.124:https
ip-protocol tcp
mask 255.255.255.255
profiles {
    WWWINC.COM_SSL {
        context clientside
    }
    http { }
    tcp { }
}
rules {
    DIGITALMEDIAHUBTEST-PW.WWWINC.COM_pw_redirect
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
vlans {
    DMZ-Peoplesoft
    External
}
vlans-enabled
vs-index 63

    }

  • Dustin_Schueman's avatar
    Dustin_Schueman
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014

    I setup the irule to log and I don't even see the request via HTTPS being logged. This is what I see with HTTP.

    Jun  5 14:36:00 ROCANNF5 local0 info tmm[13141]: Rule /Common/DIGITALMEDIAHUBTEST-PW.WWWINC.COM_SNAT : 10.63.136.14, 10.63.27.124
  • Dustin_Schueman's avatar
    Dustin_Schueman
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014

    I performed a packet capture and the HTTP traffic gets SNAT'ed to the self ip of the F5. The HTTPS traffic never looks like it gets NATed

     

    • Dustin_Schueman's avatar
      Dustin_Schueman
      Icon for Nimbostratus rankNimbostratus
      Jun 05, 2014
      Since it is HTTPS is the irule able to inspect the IP's since its encrypted?
    • Domai_23823's avatar
      Domai_23823
      Icon for Nimbostratus rankNimbostratus
      Jun 05, 2014
      I believe its just the data packet that will be encrypted. You should still be able to see the ips at the layer 4 level that would not be encrypted.
  • Frank_30530's avatar
    Frank_30530
    Icon for Altocumulus rankAltocumulus
    Jun 06, 2014

    Is the HTTPS traffic hitting the VS? I.E., do you see the HTTPS SYN packets actually arriving at the BIG-IP? Can there be a firewall device in between that is simply blocking port 443 to the VS?