Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
May 24, 2015

APM on 1600 with 10.2.4HF10 and Route Domain not showing Logon Page

We're using a LTM with APM add-on license on a BIG-IP 1600 running 10.2.4HF10. We are also using Route Domains, but without assigning it to dedicated partitions. We have a standard VS running on port 443 with Exchange 2013 behind and accessing it without APM policy assigned works fine. This VS-config is created in Common partition and is part of Route Domain 3.

 

Now we want to add some APM features and first started with just a Logon Page, but as soon as we assign the policy to the VS, connection is broken (resetted from the VS). This is what we see:

 

  • first the certificate warning (as we are testing with IP-address), but successful SSL-handshake
  • then I see the redirect in the address bar to "/my.policy"
  • but then the VS breaks the connection by sending a RST-packet

Right now, we have totally no idea why this happens and how we could further analyze this. Testing on port 80 is currently not possible, as the Internet-FW is only opened for port 443. The access policy is created with default values, so the "Secure Cookie" option is enabled. We also tried to failover the cluster and tried it on the other machine, but same behavior. We also tried a "bigstart restart", but without success. In the VPE we also found the option "Route Domain Selection" and we included it at the beginning with the value of 3 (not sure what this does and if this is really required here), but still same issue.

 

Does anybody has an idea what could be the reason for this or what else we could try? Or do you require and further information? My feeling says this can't be a bug or something like this, but is more related to our setup/configuration.

 

Thank you!!!

 

Ciao Stefan :)

 

APM
security

3 Replies

Sort By
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    May 26, 2015

    In the meanwhile I tried to re-built this setup on a VE on my laptop with the following results:

     

    • First I configured everything in Common (no RD used) -> Logon page loaded correctly
    • Then I created a RD and another VS within this RD -> issue as described above occurred again
    • Then I change the value for "Parent ID" within the RD from the default "None" to "0" -> Logon page loaded correctly

    Both RDs (Common and the new created one) have no routes specified at all and all VLANs are directly connected. From what I read in the documentation this parent ID setting is only required for routing lookup, so it shouldn't matter in our setup at all. But why does it behaving differently with both options?

     

    And according to our production system, is there any risk, when changing the parent ID from "None" to "0"?

     

    Thank you!

     

    Ciao Stefan :)

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    May 27, 2015

    I made another test on a VE running 11.5.2 with the same setup as mentioned above and there everything works fine, even with Parent ID set to "None".

     

    So this is either a Bug in 10.2.4 (and maybe earlier versions < 11.5.2) or a change in behavior. But for the latter one I wouldn't understand its background.

     

    Ciao Stefan :)

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jun 16, 2015

    Here is the latest update from the case escalation at F5.

    It appears that the v10.2.4 behaviour is the APM operating as designed. 
A deeper investigation suggests the way we handled Route Domains in v10.x can result in the communication
problems if the alternate Route Domains have no Parent ID.  In v11.x we modified how inter-Route-Domain
communication worked within TMM, with the result that the there is no issue if the alternate Route Domain
has no Parent ID.

So the solution to this issue is to assign a Parent ID to the Route Domains in v10.2.4.

    Ciao Stefan 🙂