Forum Discussion
noje_224243
Nimbostratus
NimbostratusiRule rejects connections but there is no reject command
Hi all,
We have a VS with several SSL sites. There is an iRule which looks like: when SERVER_CONNECTED { if { $doSSL == 1 }{ SSL::profile Server-profile1 } elseif { $doSSL == 2 }{ SSL::profile Server-profile2 } [...] elseif { $doSSL == 9 }{ SSL::profile Server-profile9 } }
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"example1.com" {
SSL::disable serverside
set doSSL 0
pool POOL_A_80
}
"example2.com" {
log local0. "hit 2"
set doSSL 1
pool POOL_A_443
}
[...]
"problem.here.com" {
log local0. "hit 9"
set doSSL 9
pool POOL_A_443
}
default { log local0. "no match" }
}
}
We are getting RST from the F5 for https://problem.here.com. Using tcpdump on the outside interface of F5 we got: rst_cause="[0x1ed0a34:5684] iRule execution (reject command)"
But, there is no reject command in the iRule! All the other sites are working like a charm. By the way, we are not getting any log. Thanks in advance!
Add a logging statement to the SERVER_CONNECTED event before the
command to determine whether the exception is being raised from there. If so, place it in theif
clause before and after theelseif
command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.SSL::profileIncidentally, in the SERVER_CONNECTED you can also use a
:switchwhen SERVER_CONNECTED { log local0. "-- In SERVER_CONNECTED --" switch $doSSL { "1" { SSL::profile Server-profile1 } "2" { SSL::profile Server-profile2 } ... "9" { log local0. " -- doSSL == 9 --" SSL:profile Server-profile9 log local0. " -- after SSL::profile --" } } }
VernonWellsEmployee
Add a logging statement to the SERVER_CONNECTED event before the
command to determine whether the exception is being raised from there. If so, place it in theif
clause before and after theelseif
command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.SSL::profileIncidentally, in the SERVER_CONNECTED you can also use a
:switchwhen SERVER_CONNECTED { log local0. "-- In SERVER_CONNECTED --" switch $doSSL { "1" { SSL::profile Server-profile1 } "2" { SSL::profile Server-profile2 } ... "9" { log local0. " -- doSSL == 9 --" SSL:profile Server-profile9 log local0. " -- after SSL::profile --" } } }
noje_224243This was strange... I tried your log lines and nothing got logged, even for working sites. That made me think if the iRule was correctly updated in the config or not. I checked bigip.conf and everything was OK. So I made a copy of the iRule and replaced it in the VS. Now everything is working and logged. I really don't know what happened here, but something was wrong with that iRule internally. BTW thanks for the switch suggestion, it was on my To-Do list :-)
Add a logging statement to the SERVER_CONNECTED event before the
command to determine whether the exception is being raised from there. If so, place it in theif
clause before and after theelseif
command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.SSL::profileIncidentally, in the SERVER_CONNECTED you can also use a
:switchwhen SERVER_CONNECTED { log local0. "-- In SERVER_CONNECTED --" switch $doSSL { "1" { SSL::profile Server-profile1 } "2" { SSL::profile Server-profile2 } ... "9" { log local0. " -- doSSL == 9 --" SSL:profile Server-profile9 log local0. " -- after SSL::profile --" } } }- noje_224243This was strange... I tried your log lines and nothing got logged, even for working sites. That made me think if the iRule was correctly updated in the config or not. I checked bigip.conf and everything was OK. So I made a copy of the iRule and replaced it in the VS. Now everything is working and logged. I really don't know what happened here, but something was wrong with that iRule internally. BTW thanks for the switch suggestion, it was on my To-Do list :-)