Forum Discussion

BenJ's avatar
BenJ
Icon for Nimbostratus rankNimbostratus
Mar 28, 2024

iRule to Log When Pool Member does not Respond to HTTP Request

Hi,

We're currently trying to troubleshoot an application issue and are using an HSL iRule to send logs to Splunk to help us. The iRule we're using works for most circumstances, however we're not sure how to ensure a log gets created in the event the F5 is able to create a TCP connection to the pool member, but the pool member never responds to the subsequent HTTP request that is sent over that TCP connection (ie. failure of processing by the pool member).

Right now, the iRule will successfully send a log to Splunk when a connection is handled by the F5 and passed through to the pool member and the pool member sends a response. The HTTP_RESPONSE event is the trigger to send the log in this case.

The iRule fails to send any logs if there is never a HTTP_RESPONSE received. The event we're currently using to try and catch the error condition is LB_FAILED, but in reading many posts on this event I suspect this will only fire if the TCP connection fails and doesn't relate at all to the HTTP request that uses the TCP connection as transport.

Not having a great deal of experience with iRules, I was hoping someone could suggest how best to alter our approach to also trigger a log message when the pool member does not respond to the HTTP request?

Current logic:

  • At clientside TCP connection time, create timestamp
  • When the HTTP request comes through, collect specific header values
  • If the HTTP request gets a response, collect status, and some stats
    • Send log to Splunk
    • End
  • If LB_FAILED event fires
    • Send log to Splunk
    • End
  • If any other condition (ie. no HTTP_RESPONSE and no LB_FAILED), no log message gets created

Please let me know if there's more info needed to assist and thanks in advance for any help offered.

 

4 Replies

  • Is this something that happens few and far between? You might consider performing a tcpdump if this is something that happens regularly and then you can open this up in wireshark and see exactly what's going on.

    • BenJ's avatar
      BenJ
      Icon for Nimbostratus rankNimbostratus

      Hi Paulius,

      Yes, unfortunately, this is something that happens intermittently, but at least daily. We've tried tcpdump captures a few times but never managed to catch one. There's no discernible pattern to the occurrences. 

      Regardless, providing end-to-end visibility of a transactions progress through the various layers of the network is still a really valuable outcome. Understanding that the F5 has passed a transaction onto the pool member but never received a response is certainly a useful troubleshooting tool, especially in our case where we have no access to the pool members themselves.

  • If the pool member never responds to the HTTP requests sent from F5 over an open TCP connection, the F5 will ultimately close this connection*, so you can try something like:

    set http_data_received 0

    when HTTP_RESPONSE {

       set http_data_received 1

    }

    when SERVER_CLOSED {

      if (not (http_data_received)) {

       #splunk logic here

      }

    }

    * not sure what is the behavior for keep-alive connections

     

    • BenJ's avatar
      BenJ
      Icon for Nimbostratus rankNimbostratus

      Thank you Amine. Apologies for the belated reply. I did try to respond as soon as I received your message but was unable to login to the community forum for some reason.