Debugging a rule...

Question

For some reason, my browser is having to request a certain URL 5 times before the BigIP sends the request... (please note this only happens the first time the browser requests the document.)
-Brian
Nov  4 15:30:31 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Nov  4 15:30:47 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Nov  4 15:31:03 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Nov  4 15:31:19 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Nov  4 15:31:34 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Nov  4 15:31:34 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14063/cbl_ptpdbtst_1160103.log
Nov  4 15:31:34 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14063/cbl_ptpdbtst_1160103.log
Nov  4 15:31:35 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14063/CBL_PTPDBTST_1160103.log
Here is the rule:
when HTTP_REQUEST {
  set my_uri [string tolower [HTTP::uri]]
  set usessl 0
  if { $my_uri starts_with "/servlets/iclientservlet/hr" } {
    redirect to "/hr"
  } elseif { $my_uri starts_with "/servlets/iclientservlet/selfservice" } {
    redirect to "/selfservice"
  } elseif { $my_uri == "/hr" } {
    redirect to "/HR/signon.html"
  } elseif { $my_uri == "/selfservice" } {
    redirect to "/SELFSERVICE/signon.html"
  } elseif { $my_uri == "/payroll" } {
    redirect to "/PAYROLL/signon.html"
  } elseif { $my_uri == "/finti" } {
    redirect to "/FINTI/signon.html"
  } elseif { $my_uri == "/finspc" } {
    redirect to "/FINSPC/signon.html"
  } elseif { $my_uri contains "/finti/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri contains "/finspc/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri contains "/crmp/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri == "/paep" } {
    redirect to "/PAEP/signon.html"
  } elseif { $my_uri == "/crmp" } {
    redirect to "/CRMP/signon.html"
  } elseif { [matchclass $my_uri contains $::ps_portal_uris] } {
    pool ps_pa_ssl
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_hrms_uris] } {
    pool ps_rpt_hrms_ssl
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    pool ps_rpt_fin_ssl
    log [HTTP::uri]
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_crm_uris] } {
    pool ps_rpt_crm
  } elseif { [matchclass $my_uri contains $::ps_hrms_uris] } {
    pool ps_hrms_ssl_prod
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_fin_uris] } {
    pool ps_fin_ssl_prod
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_crm_uris] } {
    pool ps_crm_ssl
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_gwib_uris] } {
    pool ps_hrms_ssl_prod
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_gwam_uris] } {
    pool ps_fin_ssl_prod
    snat none
    set usessl 1
  } else {
    reject
  }
}
when SERVER_CONNECTED {
  if { $usessl == 0 } {
    SSL::disable
  }
}
when HTTP_REQUEST_SEND {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}
when HTTP_RESPONSE {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}

brian_gupta_115 · Answer

I added log statements for LB_SELECTED and SERVER_CONNECTED. Note: It is taking about 30 seconds for the BigIP to connect to the server.
-Brian
Nov  4 16:17:26 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14064/.stdout
Nov  4 16:17:26 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14064/.stdout
Nov  4 16:17:42 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14064/.stdout
Nov  4 16:17:42 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14064/.stdout
Nov  4 16:17:58 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/PSUNX/14064/.stdout
Nov  4 16:17:58 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14064/.stdout
Nov  4 16:17:58 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14064/.stdout
Nov  4 16:17:58 tmm tmm[14602]: 01220002:6: Rule psoft_parse : /psreports/psunx/14064/.stdout
Nov  4 16:18:00 tmm tmm[14602]: 01220002: repeated 6 times
when HTTP_REQUEST {
  set my_uri [string tolower [HTTP::uri]]
  set usessl 0
  if { $my_uri starts_with "/servlets/iclientservlet/hr" } {
    redirect to "/hr"
  } elseif { $my_uri starts_with "/servlets/iclientservlet/selfservice" } {
    redirect to "/selfservice"
  } elseif { $my_uri == "/hr" } {
    redirect to "/HR/signon.html"
  } elseif { $my_uri == "/selfservice" } {
    redirect to "/SELFSERVICE/signon.html"
  } elseif { $my_uri == "/payroll" } {
    redirect to "/PAYROLL/signon.html"
  } elseif { $my_uri == "/finti" } {
    redirect to "/FINTI/signon.html"
  } elseif { $my_uri == "/finspc" } {
    redirect to "/FINSPC/signon.html"
  } elseif { $my_uri contains "/finti/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri contains "/finspc/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri contains "/crmp/?cmd=login" } {
    redirect to "/psp/PAEP/?cmd=login"
  } elseif { $my_uri == "/paep" } {
    redirect to "/PAEP/signon.html"
  } elseif { $my_uri == "/crmp" } {
    redirect to "/CRMP/signon.html"
  } elseif { [matchclass $my_uri contains $::ps_portal_uris] } {
    pool ps_pa_ssl
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_hrms_uris] } {
    pool ps_rpt_hrms_ssl
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    pool ps_rpt_fin_ssl
    log [HTTP::uri]
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_rpt_crm_uris] } {
    pool ps_rpt_crm
  } elseif { [matchclass $my_uri contains $::ps_hrms_uris] } {
    pool ps_hrms_ssl_prod
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_fin_uris] } {
    pool ps_fin_ssl_prod
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_crm_uris] } {
    pool ps_crm_ssl
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_gwib_uris] } {
    pool ps_hrms_ssl_prod
    snat none
    set usessl 1
  } elseif { [matchclass $my_uri contains $::ps_gwam_uris] } {
    pool ps_fin_ssl_prod
    snat none
    set usessl 1
  } else {
    reject
  }
}
when SERVER_CONNECTED {
  if { $usessl == 0 } {
    SSL::disable
  }
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}
when HTTP_REQUEST_SEND {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}
when HTTP_RESPONSE {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}
when HTTP_RESPONSE_CONTINUE {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}
when LB_SELECTED {
  if { [matchclass $my_uri contains $::ps_rpt_fin_uris] } {
    log $my_uri
  }
}

colin_walker_12 · Answer

brandorr,
Well, from the described behavior, and the log entries there isn't enough information to give a definite answer.
I can certainly say it looks like your rule might have a couple of redirects that will force it to redirect again:
...
 redirect to "/hr"
...
} elseif { $my_uri == "/hr" } {
    redirect to "/HR/signon.html"
...
This kind of behavior will cause delays, as the request has to process through the complex rule multiple times before reaching its final destination.
That being said, to further diagnose the issue you're seeing, I'd recommend taking simultaneous, full tcpdumps on both interfaces of the BIG-IP to see what traffic is actually being passed from/to the client and the server.  With this data you'll be able to see the request that the client machine is sending, and the exact response the BIG-IP is sending back.  Hopefully this will paint a little bit more clear picture as to what's going on.
HTH,
-Colin

brian_gupta_115 · Answer

After seeing the TCPDUMP, it looks like for some reason SNAT is not functioning for that particular matchclass...&nbsp;
&nbsp;-Brian&nbsp;
&nbsp;P.S. - The dual redirects are mostly legacy URIs that are rarely used... I just have them there, so they don't have to put them on the webservers.

colin_walker_12 · Answer

That doesn't make much sense.  Why would that stop it from responding the first few times, and not the last one?&nbsp;&nbsp;
&nbsp;-Colin

brian_gupta_115 · Answer

The last one is sent with the BigIP SNAT address. Ok here's a clue... The packets that are going through without SNAT are SYN packetsw. Oddly, I'm not seeing a SYN packet coming in from the client on the EXTernal VLAN. I am however seeing it on the INTernal VLAN. (Without the SNAT).&nbsp;
&nbsp;http://www.ethereal.com has a very nice tool for viewing tcpdumps.&nbsp;
&nbsp;Another clue, It *looks* like the HTTP Request is using an existing connection... &nbsp;
&nbsp;-Brian

Forum Discussion

Debugging a rule...

5 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Ultimate irule debug - Capture and investigate

F5 XC CE Debug commands through GUI cloud console and API

F5 Distributed Cloud Origin Server Subset Rules

LTM Cipher rule

F5 NGINX HTTP Request Header Rules: What’s Permitted and What’s Not

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS