Forum Discussion
NimbostratusiRule to exit APM and redirect to another pool member
What I am doing is I would like to have a single front-end IP address that redirects to pools based on [HTTP::host]. The virtual server is APM enabled and I would like to send directly to the pool bypassing the APM. The pool members are listening on port 80 and HTTPS. For some reason this isn't working and I just get a connection reset with server when trying in a browser. The URI and LTM logging works so it's definitely grabbing the right querystring.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"sso.company.com" {
ACCESS::disable
SSL::disable serverside
if { [HTTP::uri] contains "service="} {
log local0.notice "URI matches and is: [HTTP::uri]"
pool sso-company-com-http
}
}
}
11 Replies
kunjanThe pool members are listening on port 80 and HTTPS.
SSL::disable serverside
When it hit pool, is it going to the SSL member in the pool when SSL::disable at the server side?.
May be you can take out access profile and do an isolation test as the iRule doesn't depend on APM
- kunjan
The pool members are listening on port 80 and HTTPS.
SSL::disable serverside
When it hit pool, is it going to the SSL member in the pool when SSL::disable at the server side?.
May be you can take out access profile and do an isolation test as the iRule doesn't depend on APM
Rabbit23_116296Sorry my bad I meant to edit my post The pool members are listening on HTTP only. If I have another virtual server that is not APM enabled that is listening no port 443 with a client SSL profile it works perfectly.
Might be worth mentioning no matter what I try with SSL::disable, or even within my APM enabled iRule, I can't even redirect to another pool member in the same partition.
Cory_50405Noctilucent
Can you post your virtual server configuration? Just trying to see if you have a client SSL profile and HTTP profile applied to your virtual server.
- Rabbit23_116296
ltm virtual saml-master-internal { destination 10.10.10.147:https ip-protocol tcp mask 255.255.255.255 partition SSO profiles { /Common/clientssl { context clientside } /Common/http { } /Common/rba { } /Common/tcp { } /Common/websso { } SAML-MASTER { } } rules { saml-master } source 0.0.0.0/0 vs-index 91 } - Cory_50405
If your pool members aren't SSL enabled and you aren't specifying an SSL server profile, then you shouldn't need to disable SSL in your iRule.
Have you tried capturing traffic between your BIG-IP and the pool members to see what may be going on?
- Rabbit23_116296
Yeah what I thought, I wasn't doing reencryption on the APM enabled VS either so that will be the next thing I try thanks :)
- Rabbit23_116296
From a tcpdump on the internal interface using command:
tcpdump -i internal dst host 10.186.168.98Output:11:19:44.971822 IP 10.155.151.4.61147 > lhr4-webapp-01.stuff.com.http: S 3988578560:3988578560(0) win 4380
11:19:45.971537 IP 10.155.151.4.61147 > lhr4-webapp-01.stuff.com.http: S 3988578560:3988578560(0) win 4380
So the 10.155.151.4 is my client IP address and yes it just simply does not connect. I am assuming it's the access profile that's getting in the way.
- Cory_50405
I see there is no SNAT. Do the pool members have a route back to the client via the BIG-IP?
- Rabbit23_116296
Yeah the pool members have a route back to the client as the moment I use another virtual server (same network) that is not APM enabled with no default pool, the irule works just fine.
