iRule forwarding to Virtual Server not working
Hey guys,
I manage a really old BIG-IP environment. Most of the configuration were not made by myself so I'll try to give you a brief overview what I have here. There is a BIG-IP cluster, some partitions configured, some route domains configured. In common partition I have to specifiy IP addresses in ASM address exceptions with %1 to get matches for example.
Here is my challenge:
I have a VS VirtualServer-443 that is offloading SSL traffic for several SNIs. ThisVS VirtualServer-443 works fine. We want to implement WAF features but we have no testing capabilities. The idea is to deploy another VS (TargetVirtualServer) beside the prod VS VirtualServer-443. Traffic from specific friendly users should be intercepted by an iRule bound to the VirtualServer-443 and forwarded to the new TargetVirtualServer. The TargetVirtualServer holds the same configuration like VirtualServer-443:
- Same client SSL profiles (including default for SNI)
- Same serverssl profile
- AutoMap
- Same Destination pool
- Same HTTP profile
- Same Request Adapt profile (for ICAP)
Imagine the TargetVirtualServer as a clone of the VirtualServer-443.
I have a super simple iRule that should solve my problem attached to VirtualServer-443.
# Check the HTTP request and set client IP in variable
when HTTP_REQUEST {
set source_ip [IP::client_addr]
# Check if the source IP is one of the allowed IPs
if { $source_ip eq "x.x.x.x%1" || $source_ip eq "y.y.y.y%1" } {
log local0. "client: $source_ip"
virtual TargetVirtualServer
log local0. "[virtual]"
}
}
Unfortunately it doesn't work at all. Here is the log output
<HTTP_REQUEST>: client: SrcIP%1
<HTTP_REQUEST>: /Common/VirtualServer-443
I even attached a traffic policy to VirtualServer-443 to solve this but it did not work out (removed the iRule before). I have other BIG-IPs where I use the good old VIP-targeting-VIP concept in conjunction with traffic policies and it works out like a charm. But there is only the default route domain configured.
I have no clue why the BIG-IP tries to forward the traffic to the same VS (VirtualServer-443) instead to TargetVirtualServer. I suspect the route domains for my trouble but I am not sure about that. Any ideas?