f5-appsvcs-extension icon indicating copy to clipboard operation
f5-appsvcs-extension copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Virtual server requires a profile of type http or http-connect for ltm policy

Open kingb33 opened this issue 1 year ago • 4 comments

Environment

  • Application Services Version: 3.52.0
  • BIG-IP Version: BIG-IP 16.1.4.3 Build 0.16.3 Engineering Hotfix

Summary

When Building a Virtual server that has an LTM policy, it is required that the VS has an HTTP or HTTP-CONNECT profile even when it is not a requirement. My existing VS is configured fior SSL Passthrough. I cannot apply an HTTP profile or it will break my VS.

Based on existing configuration that was completed via the GUI, I know that my Virtual Server can apply a LTM Policy that is looking for details at the "client-accepted" stage of the request.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.52.0",
    "id": "id",
    "label": "WebApp",
    "OPENSHIFT": {
      "class": "Tenant",
      "Shared": {
        "class": "Application",
        "template":"shared"
      }, 
      "PREPROD": {
        "class": "Application",
        "api-int.ocpq1_vs": {
          "class": "Service_TCP", 
          "label": "****", 
          "persistenceMethods": [], 
          "policyEndpoint": "api-int.ocpq1_Policy", 
          "pool": "api-int.ocpq1_http_pool", 
          "profileTCP": {"egress": {"bigip": "/Common/f5-tcp-lan"}, "ingress": {"bigip": "/Common/f5-tcp-wan"}}, 
          "remark": "***", 
          "snat": "auto", 
          "virtualAddresses": ["***"], 
          "virtualPort": ****
        },  
        "api-int.ocpq1_http_pool": {
          "class": "Pool", 
          "label": "Pool for api-int.ocpq1_vs", 
          "members": [{"hostname": "***", "servicePort": ***, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ****, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ****, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ***, "addressDiscovery": "fqdn", "autoPopulate": true}], 
          "monitors": [{"bigip": "/Common/tcp_half_open"}], 
          "remark": "Pool for api-int.ocpq1_vs"
        },
        "api-int.ocpq1_allowList": {
          "class": "Data_Group", 
          "keyDataType": "ip", 
          "label": "Allow list for...", 
          "storageType": "internal", 
          "records": [{"key": "****"}, {"key": "****"}]
        }, 
        "api-int.ocpq1_Policy": {
          "class": "Endpoint_Policy", 
          "label": "Routing policy for...", 
          "remark": "Routing policy for...", 
          "rules": [{"name": "OpenshiftAllow", "remark": "Restrict access to ...", "actions": [{"type": "drop", "event": "client-accepted"}], "conditions": [{"type": "tcp", "event": "client-accepted", "address": {"operand": "does-not-match", "datagroup": {"use": "api-int.ocpq1_allowList"}}}]}], 
          "strategy": "all-match"
        }
      }
    }
  }
}
  1. Observe the following error response:
"The operation for OPENSHIFT has returned code: 422 with the following message: 010716d9:3: Virtual server /OPENSHIFT/OCPQ/api-int.ocpq_VS requires a profile of type http or http-connect for ltm policy /OPENSHIFT/Shared/api-int_Policy."

Expected Behavior

This error message should not occur. It should build the Virtual server with the LTM policy applied. The LTM policy itself does not require any form of HTTP profile as its conditions/actions are all based on information/details that are available.

NOTE: If I remove the policy_endpoint from the Virtual Server config specified in the json and apply it manually in the GUI, it completes and works as intended.

Actual Behavior

The AS3 execution fails to create the specified config with the following error: "The operation for OPENSHIFT has returned code: 422 with the following message: 010716d9:3: Virtual server /OPENSHIFT/OCPQ/api-int.ocpq_VS requires a profile of type http or http-connect for ltm policy /OPENSHIFT/Shared/api-int_Policy."

kingb33 avatar Sep 16 '24 20:09 kingb33

I have tried some work arounds to get past this problems but any applied HTTP profile breaks the traffic flow of the virtual server.

kingb33 avatar Oct 16 '24 14:10 kingb33

@kingb33 may i know what workaround you have done. as i see it creates policy with requires: tcp and http while declaring from AS3.

striker24x7 avatar Jan 23 '25 02:01 striker24x7

Echoing this bug - it is about to be an issue in a presales context. Please advise on when this is fixed in a new AS3 build.

npmaslow avatar Feb 01 '25 18:02 npmaslow

This is tracked by AUTOTOOL-4673. This is due to using legacy mode of LTM policy behind the scenes. You may refer to K000150512 below for details.

K000150512: Using AS3 to create LTM policy adds "requires { tcp http }" and prevents it from being assigned to a virtual server without http profile

dashwood8691 avatar Mar 24 '25 12:03 dashwood8691

Hi, I was away on parental leave. I'm wondering if this has a resolution time or if this is planned to be resolved in a future release?

The work around provided isn't really good in the long term.

kingb33 avatar Jul 24 '25 17:07 kingb33

AUTOTOOL-4673 is resolved in AS3-55 which is coming soon. Closing issue

mdditt2000 avatar Oct 16 '25 05:10 mdditt2000