For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

helm123_141710's avatar
helm123_141710
Icon for Nimbostratus rankNimbostratus
Jun 24, 2015

Odd Pool Behavior

Have a fairly simple irule that acts very odd. The irule in question has a uri match (/Broker*) that goes to a tomcat server. We received complaints that connectivity was failing and after looking at pool stats it was confirmed that traffic wasn't being sent to the pool/nodes.

    When HTTP REQUEST { 
      switch -glob [HTTP::uri] {  
       "/Broker*" {    
         pool Tomcat
         set doSSL 1
      }
       "/Apple*" {
          pool RESTful
          set doSSL 2
    }
    }
    }
    when SERVER_CONNECTED { 
      if { $doSSL == 1 } {
         SSL::enable serverside
         SSL::profile SSL_1Way
         }
       elseif { $doSSL == 2 } {
         SSL::enable serverside
         SSL::profile SSL_2Way
    }
    }

So to check and see if the uri match was being seen in the irule we added a log statement and the hit showed up in /var/log/ltm. But still no traffic goes to the pool/nodes.

     When HTTP REQUEST { 
      switch -glob [HTTP::uri] {  
       "/Broker*" { 
       log local0. "Requested VIP: [HTTP::host] Request: [HTTP::uri] Requested from: [IP::client_addr]"    
         pool Tomcat
         set doSSL 1
      }
       "/Apple*" {
          pool RESTful
          set doSSL 2
    }
    }
    }
    when SERVER_CONNECTED { 
      if { $doSSL == 1 } {
         SSL::enable serverside
         SSL::profile SSL_1Way
         }
       elseif { $doSSL == 2 } {
         SSL::enable serverside
         SSL::profile SSL_2Way
    }
    }

Next we created a new pool that was a duplicate of Tomcat with the name Tomcat2. Exactly the same pool with the only difference being the name. We also created a new uri match of /Test and sent it to the old pool Tomcat... fully expecting a 404 for the new match. Also made sure to add in logging in the irule. I also this time ran a tcpdump on the F5. When I hit the uri /Broker that now goes to Tomcat2 it works.. hitting /Test doesn't work and no hits to the pool/node like before. I do see both /Broker and /Test in the /var/log/ltm. But the tcpdump shows that the traffic indeed went to the new Tomcat2 pool node but the old Tomcat pool shows no traffic going to the node. This is simple changing the pool name that fixed this. Believe I'm going to have to put in a ticket with F5 on this. We're currently running 11.6.0 build 1.0.403

    When HTTP REQUEST { 
      switch -glob [HTTP::uri] {  
       "/Broker*" { 
       log local0. "Requested VIP: [HTTP::host] Request: [HTTP::uri] Requested from: [IP::client_addr]"    
         pool Tomcat2
         set doSSL 1
      }
       "/Apple*" {
          pool RESTful
          set doSSL 2
      }
       "/Test*" { 
       log local0. "Requested VIP: [HTTP::host] Request: [HTTP::uri] Requested from: [IP::client_addr]"    
         pool Tomcat
         set doSSL 1
    }
    }
    }
    when SERVER_CONNECTED { 
      if { $doSSL == 1 } {
         SSL::enable serverside
         SSL::profile SSL_1Way
         }
       elseif { $doSSL == 2 } {
         SSL::enable serverside
         SSL::profile SSL_2Way
    }
    }