For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

krisdames2's avatar
krisdames2
Icon for Altostratus rankAltostratus
Sep 20, 2022

irule help - pool command and ERR_RTE Routing problem

I am running on 14.1.4 and I have an iRule on an HTTPS virtual in route domain 1 with an iRule to do content switching based on URI. The new pool I am switching to has members that require SNI. It is failing even though I have connectivity to the pool members via the command line (while in the same route domain) so it does not seem to be a firewall issue. The server SSL profile I am using is providing the hostname required by the pool members.

when HTTP_REQUEST {
    set foo 0
    if { [HTTP::uri] starts_with "/foo/" } {
        set foo 1
        pool my_pool
    }
}
when SERVER_CONNECTED {
    if { $foo } {
        SSL::profile /ROUTEDOMAIN1/serverssl-mypool
    }
}
when LB_FAILED {
    log local0. "DEBUG2: event info: [event info]"
    log local0. "DEBUG2.1: lb info: [LB::server]"
}

The error given by [event info] is:
<LB_FAILED>: DEBUG2: event info: ERR_RTE
<LB_FAILED>: DEBUG2.1: lb info: /ROUTEDOMAIN1/my_pool 13.x.x.x 443

Any ideas about ERR_RTE ?

 

application delivery

5 Replies

    • krisdames2's avatar
      krisdames2
      Icon for Altostratus rankAltostratus
      Sep 20, 2022

      Mohamed_Salah_,

      I only have one SSL server profile attached to the virtual. Are you suggesting additional profiles must be attached to the virtual if I want to call them in an iRule with SSL::profile? The SSL server profile that I am calling in my iRule does have the server name that the new pool members need.

       

      • Mohamed_Salah_'s avatar
        Mohamed_Salah_
        Icon for MVP rankMVP
        Sep 20, 2022

        I think you should start considering generating a new tcpdump and decrypting the traffic using the below article.

        tcpdump -nnnveti 0.0:nnnp host "client IP" and port 443 -s0 -S -w /var/log/pcapname.pcap

        Decrypt traffic and assign the irule on the virtual server:

        https://support.f5.com/csp/article/K12783074

         

  • TimRiker's avatar
    TimRiker
    Icon for Cirrocumulus rankCirrocumulus
    Jun 23, 2025

    I know this is old, but it came up on a Google search.

    We name our pools ending with _HTTP or _HTTPS, or other things. We then assign the vip a serverssl profile and have this in an irule:

    when SERVER_CONNECTED {
        if {!([LB::server pool] ends_with "_HTTPS") } {
            SSL::disable serverside
        }
    }