Forum Discussion
Cookie insert troubles
I am trying to do cookie-insert persistence along with an iRule that sets the domain value for the cookie. Whenever I have all of the parts together on the virtual server (http profile, cookie persistence profile, iRule) I just get resets. I don't even get through to the site however if I strip all of these off I get to the site just fine. No combination of one or more of these settings work.
Not sure what is going on. Here is the code in the iRule I am using.
when HTTP_RESPONSE {
Check if the persistence cookie exists in the response
if {[HTTP::cookie exists "MS-WSMAN"]} {
set the domain attribute on the persistence cookie
HTTP::cookie domain "MS-WSMAN" "domain"
}
}
- Chris_GrantEmployee
Do you have an http profile on your virtual server? You must have an HTTP profile to use an HTTP irule. Also, if you take a packet capture with full noise, what is the listed reason for the resets? It will be visible in wireshark as a plain text addendum to the packet. To take a full noise capture:
tcpdump -s0 -i :nnn -w /var/tmp/.pcap
Note: edited to restore the formatting of the suggested capture string
- Stanislas_Piro2Cumulonimbus
Hi,
If you have tcp resets because of this irule, you may have tcl errors in /var/log/ltm file.
- mbkosiba_310067Nimbostratus
Yeah I have the http profile on. I'm taking a look at running this capture now. I found that I only need the cookie insert persistence profile on with the name of the cookie I need and it inserts as desired so the iRule doesn't seem to be needed. I can get this working fine on port 80 but with port 443 I'm seeing the resets. I have the service certificate but it is looking like there is an issue with the certificate. I can take every setting off including the certificate making it a very plan VS - the site comes up but if I simply add the cert which is simple to do I'm getting resets.
- Chris_GrantEmployee
I assume you are creating a new virtual server on port 443 with the certs? If you are just adding the cert, then you would need to test with an explicit port (since the virtual server will be listening on port 80):
https://..:80/
- mbkosiba_310067Nimbostratus
Yeah I have a VS for ports 80 and 443 however what I am seeing is this. If I put the cert for the application via an SSL profile on and the generic SSLServer profile on, connections get reset immediately. If I do the same thing but instead put the server-ssl-insecurecompatible profile on in place of the generic SSLServer profile on then all works fine. Taking a packet capture seems to suggest that between the client and the VS, traffic get's encrypted but between the VS and the web servers, the web servers are refusing to encrypt traffic and I can see data in plain text.
- Chris_GrantEmployee
If you are adding a server-ssl-insecurecompatible profile then the back end should be encrypted, just with a weak cipher. In order to have plain text on the back end you would need to remove the serverssl profile entirely.
I will assume that you are changing to a 443 pool when you add the serverssl profile, in which case you likely need to upgrade the servers to support better ciphers.
To explain a bit more, the serverssl profile tells the BigIP to open a connection with the pool member and send a Client Hello. Without this, the BigIP will start with your chosen HTTP Method (normally GET). With a serverssl profile no HTTP data will be transferred until after the SSL connection has been established.
The insecurecompatible profile uses less secure ciphers than the regular profile, but otherwise behaves exactly the same. No HTTP data will be transferred until after the SSL connection has been established.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com