For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JimT02's avatar
JimT02
Icon for Nimbostratus rankNimbostratus
Aug 09, 2016

Help pinpoint what packet is have RFC2616 issues related to a http_profile on LTM

Problem: have a vip with a http_profile proxying to an IIS server with a ssl client & server profile. we receive the following error:

 

011f0007:http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS (Server side: vip=xxxx_vs profile=http pool=xxxx_pool).

 

If we remove the http_profile, the error goes away.

 

Actions taken to find cause:

 

Have studied https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5922.html. ran wireshark on the proxy site, but have not been able to identify any abnormalities or what exactly is RFC2616 issues.

 

Is there anything else in F5 or other tools to help pinpoint what packet is have RFC2616 issues? What is a method for finding these?

 

application delivery
iRules
LTM
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 09, 2016

    Hi Jim,

    to find out which request/response is triggering the problem, you may try to 

    [log]
    the HTTP requests which doesn't get a response...

    when HTTP_REQUEST {
    set log_request [HTTP::uri]
}
when HTTP_RESPONSE {
    set log_request ""
}
when CLIENT_CLOSED {
    if { $log_request ne "" } then {
        log local0.debug "Unanswered Request: $log_request"
    }
}

    Note: I don't know if the 

    CLIENT_CLOSED
    event will trigger after the exemption is raised. But give it a go to find out...

    Once you've identified the URLs triggering the protocol violateion, grap the headers and post them here...

    Cheers, Kai