New Wildcard Virtual Server isn't Working

Question

We want to change the way our 80/443 traffic flows through our Transparent Proxy.&nbsp;
Current Setup (WCCP):
Server -&gt; Switch -&gt; WSA (Transparent Proxy) -&gt; Internet&nbsp;
Desired Setup (No WCCP):
Server -&gt; Switch -&gt; LTM -&gt; WSA (Transparent Proxy) -&gt; Internet&nbsp;
I've been working with F5 Support to find a solution and they recommended I use a Performance (Layer 4) WildCard Virtual Server and LoadBalance the WSA device. According to the documentation my configuration should be passing my test traffic to the WSA but there's no indication that the Virtual Server is actually picking up the incoming traffic. tracert/TCPDump confirm the traffic is making it to the F5 device, does a couple TCP Retransmissions, then drops. Looking at traffic on the WSA I see no 0 traffic coming from my test server or the floating IP for the LTM (since I removed the test server from the WCCP config and sent it to the F5).&nbsp;

fluidbios_18790 · Answer

I have 2 Virtual Servers setup - 1 for port 80 and 1 for port 443. &nbsp;
WSA_Forwarding (Destination 0.0.0.0 Port 80)
 WSA_FORWARDING
  216.205.91.9:80&nbsp;
WSA_Forwarding_443 (Destination 0.0.0.0 Port 443)
 WSA_FORWARDING_443
  216.205.91.9:443&nbsp;

fluidbios_18790 · Answer

Here's my test log:&nbsp;
-Confirmed I can use 10.53.81.163 - Can access google.ca
-Setup a new Access rule in the WCCP ACL to send it to the f5
-Tracert indicates that it's making it to the F5
-Tried standard profile.
-Tried automap
-Tried Persistence
-Tried all :80 pool members
-Setup a :443 pool
-Tried setting up http/https profiles
-TCPDump revealed the traffic is at least making it to the LTM
-Stats indicate the VIPs haven't been used so the VIP is configured incorrectly.
-Disabled the Secure VIP and Set the other VIP to All ports 
-I can ping the WSA (216.205.91.9) from the Qual LTM
-Confirmed that both of these virtual devices are in the same VLANs, 216 and 2040. (Neither of them Private VLANs)
-Reviewed the TCP handshake of a Performance Layer4 virtual server:
According to the VIP/Pool stats no packets have been received for the duration of the testing We never get to "LTM sends SYN request to Node" in this flow so it looks like the VIP isn't intercepting this traffic for processing. https://support.f5.com/csp/article/K8082l4&nbsp;
Familiarized myself with the basic overview of Wild Card Virtual Servers:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-0/2.html&nbsp;
They recommend the following:
"We recommend that when you define transparent nodes that need to handle more than one type of service, such as a firewall or a router, you specify an actual port for the node and turn off port translation for the virtual server."&nbsp;

stephane_viau · Answer

So if you look at the Virtual Server statistics, numbers are still showing 0? If so, perhaps your packets are dropped by another module like AFM. Is this a LTM box only? And how many other Virtual Servers do you have on the Big-IP? Could your requests end up in the wrong Virtual Server?

raghavendrasy · Answer

Please try below configuration:&nbsp;
Enable Fastl4
See SNAT configuration at the pool level too
Try Applying virtual server (VLANS and Tunnels) at VLAN level instead of all VLAN's&nbsp;

Forum Discussion

New Wildcard Virtual Server isn't Working

4 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Wildcard Parameter signature attack

My Virtual IP doesn't work?

Quick Optimizations for F5 BIG-IP Virtual Edition

F5 iRUule not working