Cisco2F5_16233
Jan 05, 2012Nimbostratus
iRule /SSL Profile Issue
Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their transactions by source IPs. i.e Vendor A comes in with 1.1.1.1 and replace the NETWORK_ALIAS with 1.1.1.1. What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP. In addition in our SSL profile we require Client Authentication Client Certificate and the frequency set at once..I have a feeling this might be the issue but I’m unsure. And I was told if we changed frequency to always than the iRule would need to be re done… below is the iRule
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set clientip [IP::remote_addr]
if { $cert ne ""} {
log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"
set hash [X509::hash $cert]
session add ssl [SSL::sessionid] $cert 180
} else {
log local0. "iRULE:ClientIP:$clientip | Status: No Cert"
reject
return
}
}
when HTTP_REQUEST {
if { [info exists hash] } {
HTTP::header replace NETWORK_ALIAS $hash
log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"
}
}