LTM HTTP explicit forward proxy and route domains

Question

Hi,&nbsp;
I have a simple lab setup for LTM + http explicit forward proxy no SSL interception just CONNECT handling. When I test this in a single route domain it works OK. I have a requirement to use a different route domain for the egress traffic. So I config the egress VLAN/Self IP/SNAT and explicit proxy in the HTTP profile into the new RD1. I setup a default route in the RD1 and leave a single static route in RD0 for my client traffic. Now when I test I can see the DNS resolver working ok through the egress VLAN/RD1 but I get a 503 after that from the F5, no server side traffic is seen in tcpdumps, just DNS. I checked the HTTP packets sent back to the client and see a connection failed as well as the 503&nbsp;
After troubleshooting I was able to get this to work by changing the RD1 parent name from 'none' to '0' the default partition. I can't figure out why I need to have the parent set to 0, when the only route in that RD is a static route for the client traffic and why this would make the connection fail otherwise?&nbsp;
Any ideas?&nbsp;
thanks&nbsp;

psilva · Answer

Not sure if this answers your question but from: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-administration-11-4-1/2.html?sr=53367747&nbsp;
A route domain ID is a unique numerical identifier for a route domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %ID to the IP address.&nbsp;
The format required for specifying a route domain ID in an object’s IP address is A.B.C.D%ID, where ID is the ID of the relevant route domain. For example, both the local traffic node object 10.10.10.30%2 and the pool member 10.10.10.30%2:80 pertain to route domain 2.&nbsp;
The BIG-IP system includes a default route domain with an ID of 0. If you do not explicitly create any route domains, all routes on the system pertain to route domain 0.&nbsp;
Important: A route domain ID must be unique on the BIG-IP system; that is, no two route domains on the system can have the same ID.&nbsp;
Hope that helps?&nbsp;
ps&nbsp;

andrew_c1 · Answer

Hi I just ran into this, but I didn't have anything configured in route domain 0. The result was I was getting instant 503's.&nbsp;
I figure I would post a reply because I found this via google, so other people might as well :).&nbsp;
What I found confusing is that regular http traffic worked just fine, it was only Proxy CONNECT that was failing. After bashing my head against a wall for a few hours, I finally notices that within the explicitly proxy profile their is a field for route domain which defaults to 0. AS you can guess the second I changed it all was good.&nbsp;

Forum Discussion

LTM HTTP explicit forward proxy and route domains

2 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy

Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

HTTP Explicit Proxy Explained in Plain English