Forum Discussion

TLL_91858's avatar
TLL_91858
Icon for Cirrus rankCirrus
Dec 14, 2012

Error in iRule when invoking HTTP::release

I was running V10.2.4 HF3 and have upgraded to V11.2.1 HF1. I now have this iRule that won't run. It gives the following error:   - Illegal argument. Can't execute in the current context. (line ...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jan 19, 2013
hmm... i do not get the error when re-testing today. (= =*) 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.3.0
  Build    2806.0
  Edition  Final
  Date     Tue Nov 13 22:34:00 PST 2012

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.14:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    ca-file ca.crt
    defaults-from clientssl
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  set LogDebug 1
  set session_flag 0
  if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" }
}

when CLIENTSSL_HANDSHAKE {
  set LogDebug 1
  if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }
  if { [SSL::cert count] > 0 } {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }
    HTTP::release
  } else {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }
  }
}

when HTTP_REQUEST {
  set LogDebug 1
  if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {
    if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }
    if { [SSL::cert count] == 0 } {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }
      HTTP::collect
      SSL::authenticate once
      SSL::authenticate depth 9
      SSL::cert mode require
      log local0.info "HTTP_REQUEST: when http request,now renegotiating"
      set session_flag 1
      SSL::renegotiate
    } else {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }
    }
  }
  log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"
}
}

 client

[root@centos251 ca] curl -Ik https://172.28.20.14/mis --cert client1.crt --key client1.key
HTTP/1.1 404 Not Found
Date: Sat, 19 Jan 2013 14:35:38 GMT
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=iso-8859-1

 ltm log

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect
Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating
Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1