File dowloaded is corrupted

Question

I've noticed that downloading an excel report fails from one of our customer's websites, which is published through the big ip F5 (LTM and ASM module enabled).
The resulting file doesn't contain the expected values, but instead there's a copy of the site's html web page. When performing server for direct download the file is correct.

The virtual server is on port https and has one pool member in https. It's configured with 2 http profile (f5-tcp-wan and f5-tcp-lan) ans ssl profiles (clien-side ans server-side), no cookie profile, no ltm policy profile, no irule.
in capture file traffic i get : I have the reason for the session reset by the big ip ---> http Unexpected server data past end of response.
In ltm log file i see this message : "http_handle_pipelined_data - Invalid action:0x108000 Server sends too much data. serverside..."

i tried to troubleshoot by adding an irule to disable http check when Content-Type is application/octet-stream but i continue getting the same error in /var/log/ltm
I finaly modify the virtual server which has now only a simple tcp profile, no http rofile, no ssl profile. But i get the same error.

liefzimmerman · Answer

Bellematyma - I archived your dupe post. Seems you aren't getting any attention on this one. Can you clarify your request - maybe that'll help (someone else or me) find an answer?
You have errors but what is the report about? I can't quite sort out what you are trying to do / asking for help on.

nikoolayy1 · Answer

I see&nbsp; that you opened a second post and to be honest I see no point in doing so.
&nbsp;
Outside of that probably you have tested "modify /sys db tmm.http.passthru.invalid_content_length value enable" ?
&nbsp;
Error Message: 011f0016:3: http_process_state_prepend - Invalid action:&lt;code&gt; Server sends too much data.
&nbsp;
&nbsp;
Interesting to review if you have ASM/AWAF features that need to check the full response body and to review the ASM logs as well.
&nbsp;
(See the related links as well):
ASM/AWAF features that cause HTTP response accumulation
&nbsp;
Check the ASM logs:
&nbsp;
Configuring the BIG-IP ASM system to parse HTTP responses that are larger than 50 MB in length (11.x - 15.x)
&nbsp;
You may also test stopping the ASM if needed when the file download URL is matched and just for "HTTP_RESPONSE" event as to not create big security hole.
&nbsp;
example:
Bypassing ASM on HTTP response | DevCentral

liefzimmerman · Answer

I archived the other post Nikoolayy1​ - thanks for the heads up.Bellematyma​ - if this addresses your question please consider Mark As Solution on Nikoolayy1's post.
Cheers.

bellematyma · Answer

Hello, sorry i'm new on this forum so i didn't see you archived my post.

Sorry i don't explain clearly all the context.

Our customer chooses to publish several sites using a common public address. The public ip address returns traffic received on the Big ip which forwards it where to a virtual server (mutual_vs) on port https. This has an ltm policy which redirects traffic based on domain name in the host header of received request to another virtual server vs_app.

The vs_app is on port https and has one pool member in https. It's configured with 2 http profile (f5-tcp-wan and f5-tcp-lan) ans ssl profiles (clien-side ans server-side), no cookie profile, no ltm policy profile, no irule.

The external user can access to the website of the v_app without an error page. After authenticated in the website, he can also navigate through the different pages of the site without an error page. In the website he can use a plugin to report information about an incident and download the summary in an excel file.

The file received doesn't have the expected values, but instead there's a copy of the site's html web page.

In capture file traffic i get : I have the reason for the session reset by the big ip ---> http Unexpected server data past end of response.
In ltm log file i see this message : "http_handle_pipelined_data - Invalid action:0x108000 Server sends too much data. serverside..

i tried to troubleshoot by adding an irule in the vs_app to disable http check when Content-Type is application/octet-stream but i continue getting the same error in /var/log/ltm
I finaly modify the vs_app which has now only a simple tcp profile, no http profile, no ssl profile. But i get the same error.

I notice that when the traffic flow bypass the mutual_vs and go directly through the vs_app (with my last changes) it works as expected fo the customer and the file is as expected.

I need your help to understand what's cause this issue.

bellematyma · Answer

Hello, anyone can help ?

Forum Discussion

File dowloaded is corrupted

6 Replies

Introducing the F5 Application Study Tool (AST)

Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance

Recent Discussions

What dose "Accept" do in BIG-IP ASM event logs

Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?

Change Content-Type from application/octet-stream to multipart/form-data

f5 AI Gateway pii-redactor not working

Terraform apply failures - loadbalancer_type.https.port_choice

Related Content

File Uploads and ASM

CSV to Address External Datagroup File

File upload and ASM

iRule to serve security.txt file - RFC 9116

iControlREST Swagger File

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS