Forum Discussion
Yozzer
Nimbostratus
NimbostratusPool not called
Hi
Is there any other configuration i need to perform to get the following irule to trigger correctly:
when HTTP_REQUEST {
if {[HTTP::uri] contains "/test/"} {
log -noname local0. "should go to pool"
pool https_pool
}
}
The log command is executing (so i know the if command is being triggered) and the request is being sent to the https_pool pool but no response comes back from the server. I know the pool member is correct as when i change it i get a compilation error.
I added the following and i can see that the correct pool has been selected and the pool is up and accessible:
when LB_SELECTED {
log local0. "Selected server: [LB::server]"
}
when LB_FAILED {
log local0. "Selected server: [LB::server]"
}I want requests to /test/ to go to a different pool which will handle the users login and then set the cookie for the same domain.
Thanks
23 Replies
- nitass
Employee
can you try something like this?[root@ve10:Active] config b virtual bar list virtual bar { snat automap destination 172.28.19.79:443 ip protocol 6 rules myrule profiles { http {} serverssl { serverside } tcp {} test { clientside } } } [root@ve10:Active] config b profile test list profile clientssl test { defaults from clientssl } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { SSL::disable serverside if {[HTTP::uri] contains "/test/"} { SSL::enable serverside pool https_pool } else { pool http_pool } } } [root@ve10:Active] config b pool https_pool list pool https_pool { members 200.200.200.102:443 {} } [root@ve10:Active] config b pool http_pool list pool http_pool { members 200.200.200.101:80 {} } 
Yozzerhave added in the ssl enable disable commands but still get connection reset.- nitasshave added in the ssl enable disable commands but still get connection reset.so, i think you may have to capture packet.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y
x.x.x.x is virtual server ip
y.y.y.y is pool member ip - Yozzeri can do that tomorrow. what are the possible issues that i can identify from the capture?
Thanks - nitassi can do that tomorrow. what are the possible issues that i can identify from the capture?i am not sure but the above configuration works fine in my lab. i expect to see who initially sending reset and why from the packet capture.
- YozzerSo the browser talks over HTTPS to the Virtual and then talks to the default pool over HTTP. So i think the reset connection is due to the virtual not being able to talk HTTPS to the HTTPS pool due to the SNAT automap and certificate isnt configured.
Can this be configured in the irule?
Thanks 
hoolioCirrostratus
If you want LTM to use serverside SSL for the HTTPS pool, Nitass' latest iRule should work. The servers in the HTTPS pool would need to be configured to accept SSL handshake attempts.
Aaron- YozzerThanks
- nitassSo if we didn't set the serverssl server side in the virtual settings can it be defined in the irule to use a certain certificate?i understand it is not possible. we have to assign ssl profile to virtual and disable/enable it through irule.
- YozzerHi
For this part of the irule when it calls the https_pool:
if {[HTTP::uri] contains "/test/"} {
SSL::enable serverside
pool https_pool
} else {
pool http_pool
}
In the past i have been setting the load balancing Default Persistence Profile to source addr on the vip and round robin on the pool. Is there a away to set Default Persistence Profile source addr stickiness on a pool which is a different method of persistence set on the vip?
Is it best to use the example in this link?:
https://devcentral.f5.com/Forums/tabid/53/aft/32528/Default.aspx32528
