HSL iRule broken after the move from 11.4 to 11.6

Question

Here's the basic iRule. We're using to record client ip addresses for ldap requests in a snatted environment.
Working without issue in 11.4. Failing entirely in 11.6. Any help is immensely appreciated.&nbsp;
when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool /Common/syslog-pool] 
} &nbsp;
when SERVER_CONNECTED {
  set FrontEnd "[IP::client_addr]:[TCP::client_port] &lt;-&gt; [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
  set BackEnd  "[IP::local_addr]:[TCP::local_port] &lt;-&gt; [serverside {IP::remote_addr}]:[TCP::server_port]"
   Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
  HSL::send $hsl "&lt;190&gt; LDAP HSL: $FrontEnd | $BackEnd"
  test by logging locally
  log local0.  "$FrontEnd  $BackEnd"
}&nbsp;
Notes: 
1. iRule will correctly write to the local logs if I uncomment that functionality.  Changing from an HSL pool to an HSL publisher makes no difference in lack of functionality.&nbsp;

The vip using the iRule exists in a different partition than /Common, but replicating the pool, iRule and/or the publisher in the other partition makes no difference in lack of functionality.&nbsp;

$hsl resolves to "MDS:/Common/syslog-pool:UDP"&nbsp;

sstafford · Answer

I think we got it.  It appears to be somewhat related to the issues in this old SOL;
https://support.f5.com/kb/en-us/solutions/public/11000/600/sol11659&nbsp;
The firewall logs are recording a large number of denies on traffic between the LTMs and the syslog servers that look like this;&nbsp;
Dec  4 14:21:00 152.19.253.108 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 127.1.1.2/5966-&gt;172.27.47.21/514 junos-syslog 17(0) DC-UNIVERSAL-DENY(global) F5-Datacenter-DMZ ITS-OS-DMZ-prod UNKNOWN UNKNOWN N/A(N/A) reth0.1641&nbsp;
Nothing like this appears in those logs prior to the upgrade to 11.6.&nbsp;
So, for whatever reason, the ip address the F5 is using to communicate via HSL changed from the floating ip to 127.1.1.2.  Any ideas on how to address that? &nbsp;

hooleylist · Answer

Hi,&nbsp;
Can you open a support case and reference BZ454636?  There should be a workaround and/or fix available via F5 Support.&nbsp;
Thanks, Aaron&nbsp;

sstafford · Answer

Done.  Thanks!&nbsp;

chris_fp · Answer

Did you get any resolution to this issue?

sstafford · Answer

Yes.  It started functioning again after Hotfix 4 was applied.

Forum Discussion

HSL iRule broken after the move from 11.4 to 11.6

5 Replies

Recent Discussions

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Related Content

Mitigation of OWASP API Security Risk: Broken Authentication using F5 XC Platform

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM

OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM

Lightboard Lessons: OWASP Top 10 - Broken Authentication