Forum Discussion

Tabber's avatar
Tabber
Icon for Altostratus rankAltostratus
Oct 26, 2019

Detect IP Being Blocked Upstream

I am running SSLo L3 Outbound, Forward Proxy, and my organization blocks IP of sites at our perimeter. This makes it confusing for customers going to HTTPS sites because the client side does the full TCP handshake and sends its first TLS data to F5, before the F5 server side starts, and receives a TCP reset so to the user it looks like there is a TLS error. In reality on the F5 server side the first TCP packet is sent and it receives no response and times out.

 

I would like to be able to detect the fact no response was received and return a custom page to the user with instructions on who to contact to resolve.

 

Tried to use event SERVER_CLOSED but this event doesn't trigger in scenario above.

devops
iRules
security
ssl
sslo

1 Reply

Sort By
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Oct 29, 2019

    "In reality on the F5 server side the first TCP packet is sent and it receives no response and times out. I would like to be able to detect the fact no response was received and return a custom page to the user with instructions on who to contact to resolve."

    • The SERVER_CLOSED event only triggers with some response, either a FIN or RST.

     

    Since the server side isn't receiving a response to the first packet (I'm assuming TCP SYN) this becomes more challenging.

     

    You might be able to leverage the SERVER_CONNECTED assuming the Virtual Server uses FastL4.

     

    If the VIP doesn't use a FastL4 profile I'm not sure we would have an event that could trigger because a standard (full proxy) VIP requires a Three-Way Handshake to complete to trigger SERVER_CONNECTED.

     

    If the perimeter can be configured to send a RST then the SERVER_CLOSED event would work.