Forum Discussion

mplaksin0's avatar
mplaksin0
Icon for Cirrus rankCirrus
Oct 18, 2022

irule uri traffic redirection failing

Hello team,

I have to implement an irule to redirect traffic based on URL.

So i made following code:

when HTTP_REQUEST { if { [HTTP::uri] starts_with "/specialurl" } {
snatpool /NAT_Outside
pool /Apps_pool  
log local0. "[IP::client_addr] Ingreso a [HTTP::uri]" } }

The irule works fine, but the owner of the application says that when the app (programed in ajax) call's another uri of the website, the service get stucked in the pool "/App_pool".

I tried with ltm policy and have same behavior.

Any one had have any similar case?

  • mplaksin0First I would create a /32 netmask OneConnect profile and associate it with the virtual server in question. After you have done that use the following iRule configuration replacing whatever you might want to match in the if statement but leave everything else and that should solve your issue.

     

     

    when CLIENT_ACCEPTED {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST {
    
        if { [HTTP::uri] starts_with "/specialurl" } {
            snatpool NAT_Outside
            pool Apps_pool  
            log local0. "[IP::client_addr] Ingreso a [HTTP::uri]"
        } else {
            pool $DEFAULT_POOL
        }
    
    }
  • mplaksin0First I would create a /32 netmask OneConnect profile and associate it with the virtual server in question. After you have done that use the following iRule configuration replacing whatever you might want to match in the if statement but leave everything else and that should solve your issue.

     

     

    when CLIENT_ACCEPTED {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST {
    
        if { [HTTP::uri] starts_with "/specialurl" } {
            snatpool NAT_Outside
            pool Apps_pool  
            log local0. "[IP::client_addr] Ingreso a [HTTP::uri]"
        } else {
            pool $DEFAULT_POOL
        }
    
    }
    • mplaksin0's avatar
      mplaksin0
      Icon for Cirrus rankCirrus

      I did a similar configuration, and it is true it works correctly. In the VS use as default pool App_Pool. In the Irule, indicate that if it "does not contain" /app_pool, redirect to the default pool and it started to work.

  • Is the app using BIG-IP as its default gw?

     

    Can you paste a tmsh list of the VIP?

  • What is the default pool? Isn't it "App_pool"?

    Where are other uri's configured to go?
    Probablly the config of the VIP will help us figure it out.

    • mplaksin0's avatar
      mplaksin0
      Icon for Cirrus rankCirrus

      The default pool isn't App_pool.

      The gateway of VM of default pool its this bipip and App_Pool its the ip of virtual-server of other bigip that its in other point of the network (we reach it via routing).

      I attach the list.

      I tried a policy that says "if the uri contains /specialurl foward traffic to pool App_Pool" and same behavior.

      Maybe i can try to set default pool as App_Pool and use a policy with "not contains /specialurl foward traffic to pool GOL (default)

       

      security presentation tmui virtual-list /GOL {
      dos-status none
      server {
      attack-status none
      bandwidth-bps 152744
      bandwidth-cps 0
      bandwidth-pps 66
      description none
      dst-addr x.x.x.x%12
      dst-port https
      evicting-active false
      eviction-policy none
      http-auto-threshold Disabled
      http-behavioral-signature-dos Disabled
      ip-intelligence-policy none
      l4-protocol 6
      l7-protocol http
      mask 255.255.255.255
      max-bandwidth-bps 4294967295
      max-bandwidth-cps 0
      max-bandwidth-pps 4294967295
      name /GOL
      netflow-profile none
      network-auto-threshold Disabled
      network-behavioral-signature-dos Disabled
      route-doman 12
      scrub-monitored false
      scrubbable-advertisement-method none-method
      scrubbable-bandwith-threshold 4294967295
      scrubbing-active false
      src-addr 0.0.0.0%12/0
      src-port any
      stress-level 0
      traffic-type inline
      }
      vlans none
      }

  • do a : list virtual "name of the vip " on both big ip's()

    for  /specialur  :    BGIPip1 (VIP, pool: Apps_pool) -> BIGip2 (VIP:GOL)

    for anything else : ????

     

    • mplaksin0's avatar
      mplaksin0
      Icon for Cirrus rankCirrus

      Hi mihaic,

      Let me see its this is ok.  I have no access to the specialurl bigip. It owned by other team. The irule its no applied at this time, but it was yesterday in virtual GOL. 

      Thanks

      ltm virtual /GOL {
      destination /x.x.x.x%12:https
      ip-protocol tcp
      last-modified-time 2022-10-18:14:15:01
      mask 255.255.255.255
      partition Proyectos
      persist {
      source_addr {
      default yes
      }
      }

      pool /pool_gol
      profiles {
      Fec {
      context clientside
      }
      Tec {
      context clientside
      }
      http { }
      serverssl-insecure-compatible {
      context serverside
      }
      tcp-lan-optimized {
      context clientside
      }
      tcp-wan-optimized {
      context serverside
      }
      }
      source 0.0.0.0%12/0
      source-address-translation {
      type automap
      }
      translate-address enabled
      translate-port enabled
      vs-index 137
      }

      ltm pool /apps_pool {
      members {
      /VS_OUTSIDE_F5:https {
      address x.x.x..x%12   <--- This ip its from bigip that i have no access.
      session monitor-enabled
      state up
      }
      }
      monitor gateway_icmp
      partition Proyectos
      }