Forum Discussion
BIG-IP : redirect loop : debugging techniques
BIG-IP 11.4.0 Build 2384.0 Final
In my hosts file I point
www.mydomain.comhttp://www.mydomain.com/natural-language-url-1and the page is returned as expected..
In BIG-IP , I have configured a single virtual-server
vip-01irule-01when HTTP_REQUEST {
log local0. "HTTP_REQUEST received by irule-01"
log local0. "host = [HTTP::host]"
log local0. "uri = [HTTP::uri]"
switch -glob [string tolower [HTTP::host]] {
"www.mydomain.com" {
switch -glob [string tolower [HTTP::uri]] {
"/api/*" {
pool service-pool-01
}
default {
log local0. "matched default pool"
pool default-pool-01
}
}
}
}
}
Now, in my hosts file I point
www.mydomain.comvip-01http://www.mydomain.com/natural-language-url-1and the client-browser reports an infinite-redirect error
"This webpage has a redirect loop"BIG-IP > System > Logs > Local Traffic
Rule /Common/irule-01 : HTTP_REQUEST received by irule-01`
Rule /Common/irule-01 : host = www.mydomain.com
Rule /Common/irule-01 : uri = /natural-language-url-1
Rule /Common/irule-01 : matched default pool
... repeat 10 times ...
Fiddler shows that 21 302-redirects have occurred :
Result 302
Protocol HTTP
Host www.mydomain.com
URL /natural-language-url-1
Body 185
Caching private
Content-Type text/html; charset=utf-8
Process chrome:7516
Comments
Custom
NOTE 1 : on vip-01, Source Address Translation = Auto-Map
NOTE 2 : I have complete control over the web-server ( remote access with ability to modify configuration, run diagnostics, perform local tests, etc. )
NOTE 3 : The web-server expects the request to include the domain. Sending a request with host = {web-server-host-name} , or host = {web-server-ip} will throw an error because IIS will be unable to locate the virtual app.
What are some debugging techniques I can deploy to further diagnose the underlying cause of the redirect loop ?
- Kevin_Stewart
Employee
From the command line, type:
ifconfigThis will show you all of the interfaces on the system. If for example you've named the internal VLAN "internal", then you can actually use this VLAN name in tcpdump.
tcpdump -lnni internal -Xs0If you wanted to show traffic from all interfaces, you can use 0.0
tcpdump -lnni 0.0 -Xs0As for additional filters, assuming you have other traffic on the internal VLAN that you want to not see, you can add filters to the tcpdump to limit what you capture. So for example, if the web server is listening on port 80 and its IP address is 10.10.10.1, a tcpdump with additional filtering might look like this:
tcpdump -lnni internal -Xs0 host 10.10.10.1 and port 80The -Xs0 option will dump the layer 7 payload to the screen, so you'll be able to see a 302 response if it is in fact coming from the web server.
Looking at the response from curl command, the server header says "Microsoft iis". That pretty much guarantees that it is the server that is sending the 302 redirect.
If the bigip sent a 302, the server header would have been "BIGIP". unless it is configured to masquerade as an iis server which I don't think you did.
- Kevin_Stewart
Good catch John. So BaltoStar you should definitely see the 302 coming from the web server, which now of course begs the question, why? Is there ANYTHING configured in IIS or the application itself that could do this? Specifically, what conditions might the web server or asp.net be configured to issue a redirect? Given that the layer 7 HTTP requests are virtually identical, can it not like the source address? Do you see any differences in the HTTP request on the client side of the F5 and on the server side, as in the F5 may be altering the request along the way? You'd see this in your internal tcpdump. Is there otherwise anything different between a direct request and the proxied request other than the source address? If you were to stand up a simple generic web page in IIS, can you get it through the F5?
