Forum Discussion

Frank_30530's avatar
Frank_30530
Icon for Altocumulus rankAltocumulus
Feb 07, 2018

Select ServerSSL Profile using VS Policy in TMOS 13.1: ERROR: an action precedes its conditions.

This concerns LTM on TMOS 13.1.0.2:

We are configuring a virtual server with TLS SNI support (for example: site1.example.com and site2.example.com are using the same virtual server).

We need to load balance traffic for site1(.example.com) to pool1; and traffic for site2 to pool2. I have configured a Local Traffic Policy to do this (I don't want to use an iRule in this case). Matching criteria in the first policy rule is:

[SSL Extention] [server name] [is] [any of] [ site1.example.com ] at [ssl client hello] time.

The action for this matching rule is:

[Forward traffic] to [pool] [/Common/pool1] at [request] time.

This seems to work.

Now, I also want to select a specific ServerSSL profile (i.e., serverssl-site1 for site1 and serverssl-site2 for site2).

I tried to add another action to the rule like this:

[Select SSL Profile] [serverssl-site1]

However, this generates an error in the GUI:

An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/vspol-TEST', rule 'r1'; an action precedes its conditions.

I have tried many other rule matching options. I can only get the BIG-IP accept the matching action for "[Select SSL Profile]" when I remove all matching rules (hence: match all traffic). But I need to select a specific pool and ServerSSL profile based on the SNI server name (or HTTP host request header)...

What am I missing here?

How should I configure this?

Any pointers to TMOS 13 documentation on this subject? Document/guide "Local Traffic Management: Getting Started with Policies, version 13.1" does not describ the "[Select SSL Profile]" action (yet)...

4 Replies

  • I think you are confusing the clientssl and serverssl profile.

     

    Configure 2 clientssl profile with SNI enabled, and add to the virtual server. The system will automatically select the correct one based on the SNI information.

     

    You just need one serverssl profile, and the default one is good for most cases.

     

    Do the pool forward in the LTM policy, but no need to specify the serverssl profile.

     

  • I have confirmation from F5 support that (at least TMOS 13.1.0) does NOT support this. Apparently:

     

    ... At this stage in time LTM policy cannot be used to select server SSL profile based on information present in Client Hello. We can select Server SSL profile based on source IP of the client, but unfortunately not Client Hello.

     

  • wuench's avatar
    wuench
    Icon for Nimbostratus rankNimbostratus

    This appears to still be the case in 14.1.2. The only condition I can get to work with Select SSL Profile is TCP. It appears the only way to select an SSL Profile is via iRules. Other than that the default SSL Server Profile will always be selected as far as I can tell. I am not really sure why a VIP even allows multiple SSL Server Profiles to be configured.

     

    As for why you would want to do this. We want to route multiple requests to servers using SNI but also resend that Server Name to the server. Currently without resorting to iRules or multiple VIPs no name is sent, or the name configured in the Default SSL Server Profile is sent depending on the Server SSL Profile configuration.

  • If you have multiple serverssl profiles, the system should pick the correct one based on the SNI information from the clientside, or maybe the host header, haven't tested this yet.

    That is where can be useful to have multiple serverssl profiles, as you can then setup the SNI to be sent in the server side.

     

    You said you already know you can do with iRules.

    In case you haven't see this iRule, have a look:

    https://devcentral.f5.com/s/articles/serverside-sni-injection-irule-968

    https://support.f5.com/csp/article/K41600007