The example here is that I am trying to configure a local internet breakout service for tcp port 443 as show here:
# configure authority service internet-443-only
show
name internet-443-only
security encrypt-hmac-disabled
transport tcp
protocol tcp
port-range 443
start-port 443
exit
exit
address
0.0.0.0/0
access-policy field-eng.corp
source field-eng.corp
exit
I also have a more specific lab service shown here:
# configure authority service sea-lab
show
name sea-lab
service-group reidlab
description ""Seattle lab service""
scope private
security corp-sec
address 172.25.128.0/24
access-policy field-eng.corp
source field-eng.corp
exit
access-policy seattle-adam.field-eng.corp
source seattle-adam.field-eng.corp
permission allow
exit
service-policy sea-lab-redundant-policy
As any service with a port defined takes precedence for service routing, when I try to send a packet towards a destination in the ""sea-lab"" service (e.g. 172.25.128.5) on port 443, the path selected uses the ""service-route"" defined for the ""internet-443-only"" service.
I was able to configure the ""sea-lab"" service with all TCP ports as defined here to make the desired solution, but curious if anyone else has any better ideas:
# configure authority service sea-lab
show
name sea-lab
service-group reidlab
description ""Seattle lab service""
scope private
security corp-sec
transport tcp
protocol tcp
port-range 0
start-port 0
end-port 65535
exit
exit
transport udp
protocol udp
exit
transport icmp
protocol icmp
exit
address 172.25.128.0/24
access-policy field-eng.corp
source field-eng.corp
exit
access-policy seattle-adam.field-eng.corp
source seattle-adam.field-eng.corp
permission allow
exit
service-policy
sea-lab-redundant-policy
# show sessions | grep 172.25.128 -A1
Piping output...
a7cf3873-32cc-4130-b807-8ee9fd176a6d sea-lab seattle-ad LAN 128 TCP 172.25.129 60312 172.25.128 443 0.0.0.0 0 true 4 0 days
am.field- .102 .5 0:00:05