Forum Discussion
NimbostratusLB_Failed when serverssl profile is used
I have a VS that is doing SSL offloading and re-encrypting to some URI's using irules. The problem I'm having is that I get a LB_Failed event in my logs when going to the unencrypted pool/"http_pool". If I remove the serverssl profile from the VS then it works fine and I don't get any events logged. The problem loading the page seems to be intermittant, sometimes it works just fine; other times I have the error. (Of course my re-encryption doesn't work which is fine during my testing)
Also I noticed when in this error condition; using Firefox/Firebug to look at the HTTP data, the POST doesn't time out until 60 seconds have passed. If I adjust the "
I did a tcpdump to see what was coming into the F5 and going out to the servers. I think I noticed is that the POST coming into the VS isn't being send to the server correctly... it's not sending the POST correctly to the intended http_pool member.
BigIP version 9.4.5
b rule test_https_irule '{
when HTTP_REQUEST {
set http_uri [HTTP::uri]
set http_host [HTTP::header "Host"]
set client_addr [IP::client_addr]
if { [HTTP::uri] starts_with "/http" } {
SSL::disable serverside
use pool http_pool
}
elseif { [HTTP::uri] starts_with "/https" } {
use pool https_pool
}
else {
SSL::disable serverside
use pool http_pool_default
}
}
}
virtual test_https '{
destination 10.10.10.1:443
ip protocol 6
rules
header_insert_https_indicator
test_https_irule
profiles
http_redirect_rewrite_profile
serverssl
tcp-lan-optimized
serverside
tcp-wan-optimized
clientside
wildcard_worldkat.dev.oclc.org clientssl profile
}
Thanks for looking and for any advice/direction!!
Leonardo
7 Replies
hoolioCirrostratus
Hi Leonardo,
Do you have port and address translation enabled on the virtual server? I don't remember what the defaults are for these two settings in 9.4.x.
Aaron- hoolioAlso, a URI of /https would match the first check in your rule for a URI starting with /http. You might want to check for /https first if those are the literal URI tokens you're testing with.
Aaron - hoolio
...
Michael_YatesCould you send us what the error is that you are seeing in the LTM Log?
This is what Hoolio is suggesting:when HTTP_REQUEST { set http_uri [HTTP::uri] set http_host [HTTP::header "Host"] set client_addr [IP::client_addr] if { [HTTP::uri] starts_with "/https" } { use pool https_pool } elseif { [HTTP::uri] starts_with "/http" } { SSL::disable serverside use pool http_pool } else { SSL::disable serverside use pool http_pool_default } }
Leonardo_39231Hi Leonardo,
Do you have port and address translation enabled on the virtual server? I don't remember what the defaults are for these two settings in 9.4.x.
I'm not 100% sure I understand your question... I do have SNAT set up that translates everything to 1 IP address when going to the server side. The VS does sit at port 443 and the pool servers are on port 20500.
Also, a URI of /https would match the first check in your rule for a URI starting with /http. You might want to check for /https first if those are the literal URI tokens you're testing with.
Sorry the irule code isn't what I have on the LTM, it was pseudo code of which I didn't do a very good job of ordering the if statements; I just used http & https as examples but that isn't what I'm actually looking for in my rule
Could you send us what the error is that you are seeing in the LTM Log?
I have a log irule on the VS that if there is a LB_Failed event it spits out the VS name, Pool name, Server name & port, Client Addr, Protocol & port, VS IP and Port
Example:
/var/log/user.log.1.gz:Sep 11 15:06:23 tmm tmm[1678]: Rule log_http_kco : VS:ocwms.worldkat.dev.oclc.org; pool:worldkat_opensocial_20500 10.10.10.18 20500; IP client addr:132.174.33.127; TCP client port:56008; IP local addr 132.174.87.139; TCP local port:443
As always thanks!!
Leonardo
natheCirrocumulus
Leonardo
If I understand the issue correctly it's the ssl::disable serverside command failing - as you see the fail event following the timeout value of the server ssl profile you're trying to disable.
I see from askf5 that there was an issue with ssl:disable command in 9.x versions of LTM but 9.4.5 should've corrected this. I can't see any other references in newer version release notes.
With all this in mind, is it worth disabling the ssl profile using the SERVER_CONNECTED event, something on the lines of the 2nd example in the ssl::disable wiki:
https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx
Hope this helps,
N- Leonardo_39231
I tried disabling the SSL in SERVER_CONNECTED event and looks like it's working now! Thanks for the suggestion Nathan and thanks for everyone else's input. Not sure why it didn't work the other way but I'm happy to have a way for this to work as expected. Thanks everyone!
