Forum Discussion

vaahtera's avatar
Icon for Nimbostratus rankNimbostratus
Nov 05, 2019

HSSR sideband connection for querying LDAP not working

I'm having this issue, that i can't get the sideband connection to work. Code is like this:


  set apikey [URI::query [HTTP::uri] api-key]
  log local0. $apikey
  if {  $apikey eq "" } {
    log local0. "apikey is empty, redirecting to another virtual"
    virtual test-internal
  } else {
  log local0. "We got the apikey and begin HSSR connection"
    set status [call /Common/HSSR::http_req -virt "/test-internal-api" \
                 -uri "[URI::encode $apikey]" \
                 -tag "custom" -key $apikey -rbody rbody]
    if {($status == 200) && ($rbody ne "NOT_FOUND")} {
    log local0. "HSSR query successful, redirecting traffic to pool"
    pool test-pool


The test-internal-api virtual is assigned with access policy that has a simple LDAP query and a iRule that gets the reply for the sideband query.


Now when the user goes to that virtual where the iRule is assigned, ltm logs the following lines:


Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: 010101-123N

Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: We got the apikey and begin HSSR connection

Nov 5 15:27:59 f5test01 err tmm1[17166]: 01220001:3: TCL error: /Common/APIKEY <HTTP_REQUEST> - can't read "sts": no such variable   while executing "set e "connect to ${dest} '${server}' fails: ${sts} (${conn})""  (iRule proc "/Common/HSSR::http_req") (line 430)   invoked from within "call /Common/HSSR::http_req -virt "/test-internal-api" -uri "" -tag "custom" -key $apikey -r..."   invoked from within "if { $apikey eq "" } {   log local0. "apikey is empty, redirecting to another virtual"   virtual test-internal..."


What is that sts and where should it come from? No matter what i do to the call, the error is the same...

1 Reply

  • Ok, got this a bit further. I was missing the /Common before the virtual server in the call. But now as the another virtual has this iRule code, it never get's to the ACCESS_POLICY_COMPLETED:


    when HTTP_REQUEST {
     log local0. "Got http request to internal virtual"
     set apikey ""
     if {[HTTP::path] starts_with "/"} {
      regexp {/([^/]+)$} [HTTP::path] junk x
      set apikey [URI::decode $x]
     if {$apikey ne ""} {
     log local0. "Access session started on internal virtual"
      ACCESS::session data set session.custom.apikey $apikey
     set reply "NOT_FOUND"
     if {[ACCESS::session data get session.ldap.last.queryresult] == 1} {
      set reply [ACCESS::session data get session.ldap.last.attr.apikey]
     log local0. "Access session policy completed with reply: $reply"
     ACCESS::respond 200 content $reply Content-Type "text/plain" Connection close

    The access policy attached to this internal virtual contains only one LDAP query that ends in deny no matter what the query result is.


    What am i missing here?