For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Alam_45640's avatar
John_Alam_45640
Historic F5 Account
Sep 10, 2014

Thanks for catching the mistake with displaying the variable, "%" instead or "$".

Start by looking at the /var/log/ltm to make sure you don't have a syntax error in the iRule.

The check agent_id. Does the agent_id you specified in the VPE for the IRULE_AGENT match the iRule "if" condition:

if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {

There are a couple of options for troubleshooting. You can define the variable before you scan the datagroup like this: 

when ACCESS_POLICY_AGENT_EVENT { 
     ACCESS::session data set session.logon.last.username_found_in_list [ACCESS::policy agent_id]
     if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {
         set user [ACCESS::session data get session.logon.last.username]
         if { [class match $user equals DataGroupList_A] } { 
            ACCESS::session data set session.logon.last.username_found_in_list 1
         } else {
            ACCESS::session data set session.logon.last.username_found_in_list 0
         }
      }
}

Now, check the variable in the message box again. If it is equal to the agent_id, you know that the first "if" is not matching and the agent_id is not recognized.

Another option is to add log commands to the iRule and view the traces in the /var/log/ltm file.

when ACCESS_POLICY_AGENT_EVENT { 
     log local0. "Agent ID: [ACCESS::policy agent_id], Username: [ACCESS::session data get session.logon.last.username]"
     if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {
         set user [ACCESS::session data get session.logon.last.username]
         if { [class match $user equals DataGroupList_A] } { 
            ACCESS::session data set session.logon.last.username_found_in_list 1
            log local0. "Found username in datagroup, [ACCESS::session data get session.logon.last.username_found_in_list]"
         } else {
            ACCESS::session data set session.logon.last.username_found_in_list 0
            log local0. "Did NOT Find username in datagroup, [ACCESS::session data get session.logon.last.username_found_in_list]"
         }
      }
}

Remember to remove, or comment out, the log commands when you are done troubleshooting.

HTH