iRule rejects connections but there is no reject command
Hi all,
We have a VS with several SSL sites. There is an iRule which looks like: when SERVER_CONNECTED { if { $doSSL == 1 }{ SSL::profile Server-profile1 } elseif { $doSSL == 2 }{ SSL::profile Server-profile2 } [...] elseif { $doSSL == 9 }{ SSL::profile Server-profile9 } }
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"example1.com" {
SSL::disable serverside
set doSSL 0
pool POOL_A_80
}
"example2.com" {
log local0. "hit 2"
set doSSL 1
pool POOL_A_443
}
[...]
"problem.here.com" {
log local0. "hit 9"
set doSSL 9
pool POOL_A_443
}
default { log local0. "no match" }
}
}
We are getting RST from the F5 for https://problem.here.com. Using tcpdump on the outside interface of F5 we got: rst_cause="[0x1ed0a34:5684] iRule execution (reject command)"
But, there is no reject command in the iRule! All the other sites are working like a charm. By the way, we are not getting any log. Thanks in advance!
Add a logging statement to the SERVER_CONNECTED event before the
command to determine whether the exception is being raised from there. If so, place it in theif
clause before and after theelseif
command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.SSL::profile
Incidentally, in the SERVER_CONNECTED you can also use a
:switch
when SERVER_CONNECTED { log local0. "-- In SERVER_CONNECTED --" switch $doSSL { "1" { SSL::profile Server-profile1 } "2" { SSL::profile Server-profile2 } ... "9" { log local0. " -- doSSL == 9 --" SSL:profile Server-profile9 log local0. " -- after SSL::profile --" } } }