For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Leonardo_39231's avatar
Leonardo_39231
Icon for Nimbostratus rankNimbostratus
Jul 15, 2013

IP::idle_timeout Issue

I have a "IP::idle_timeout" setting of 1800 seconds that I apply to traffic when the Host header starts with the word "server". The problem is that some of the traffic gets the 1800 seconds timeout and some of it doesn't(defaults to 300 seconds). I've applied logging in the irule to see the before and after idle setting which shows it should be set to 1800 seconds but when I look at the connection table it only has the default idle setting of 300 seconds. Anyone see an error in my logic below?

 

viprion 2400 running BIG-IP 11.2.0 Build 2451.0 Hotfix HF1

 

 

ltm virtual /legacy/virtual_443 {

 

destination /legacy/10.1.1.1:443

 

ip-protocol tcp

 

mask 255.255.255.255

 

partition legacy

 

persist {

 

/legacy/persist_virtual_profile {

 

default yes

 

}

 

}

 

pool /legacy/virtual_7777

 

profiles {

 

http_redirect_rewrite_profile { }

 

tcp-lan-optimized {

 

context serverside

 

}

 

tcp-wan-optimized {

 

context clientside

 

}

 

wildcard_virtual_cert {

 

context clientside

 

}

 

}

 

rules {

 

/legacy/redirect_some_virtual_to_http_rule_3

 

header_insert_https_indicator

 

default_snat_rule

 

}

 

vlans-disabled

 

}

 

ltm rule /legacy/redirect_some_virtual_to_http_rule_3 {

 

partition legacy

 

when HTTP_REQUEST {

 

set http_host [string tolower [HTTP::header "Host"]]

 

set http_uri [HTTP::uri]

 

 

if { $http_host starts_with "server" } {

 

IP::idle_timeout 1800

 

persist none

 

HTTP::header insert Secure-mode SSL

 

use pool virtual_8888

 

}

 

elseif { $http_uri starts_with "/config" or

 

$http_uri starts_with "/login" or

 

$http_uri starts_with "/ui" or

 

$http_uri starts_with "/utils" } {

 

HTTP::header insert Secure-mode SSL

 

use pool virtual_7777

 

}

 

else {

 

HTTP::redirect "http://$http_host$http_uri"

 

}

 

}

 

}

 

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 13, 2013

    Can you post the default_snat_rule definition? I wonder if that SNAT iRule is forcing a 300 second idle timeout when SNAT is selected.

     

    Aaron

     

  • dlhace's avatar
    dlhace
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2015

    I ran into this same problem. I wanted to reset the idle_timeout only for certain things.

     

    I found the resolution in the documentation for IP::idle_timeout. https://devcentral.f5.com/wiki/iRules.IP__idle_timeout.ashx

     

    It appears that if you set idle timeout at the VIP level it set it for both client and server. But when I tried to set it in the irule I was only setting the client. The server needs to also be set so both sides are maintained.