Forum Discussion

Greg_33558's avatar
Greg_33558
Icon for Nimbostratus rankNimbostratus
May 19, 2015

(Some) iRule 'HTTP::header remove' causes TCL error following 11.6 HF4 upgrade

We upgraded our proxy from 11.6 HF3 to 11.6 HF4 last week, and immediately started seeing these errors related to one of our iRules:

 

May 19 10:56:29 f5-proxy1 err tmm[16515]: 01230140:3: RST sent from 10.10.12.49:443 to 192.168.1.136:42865, [0x1eb6bf8:1288] iRule execution error
May 19 10:56:29 f5-proxy1 err tmm[16515]: 01220001:3: TCL error: /Common/sanitize_http  - Operation not supported (line 22)     invoked from within "HTTP::header remove $header"     ("foreach" body line 15)     invoked from within "foreach header [HTTP::header names] {         if { $log_level >= $static::LOG_LEVEL_NOTICE } {

This code was working before the HF4 upgrade, and still works for a large set of clients. But a subset of clients fail reliably.

 

I have not yet been able to gather inputs for comparison, and frankly am just hoping that someone will know of something with HF4 that causes this and be able to point me to a workaround or fix. I'll continue digging on this end, and will update if I find out more.

 

Update:

 

HF4 does not appear to be part of the problem -

 

The iRule errors in question are caused because the application backend is not available, but iRules are processing anyway. The attempt to modify the header is apparently at odds with the way the F5 is going to bounce the request.

 

I have not been able to make anyone 'fess up to a correlation between the HF4 upgrade timing and the backend for this particular application being taken offline, but that's the most likely candidate for why it seemed to appear with HF4.

 

(The problem would presumably be alleviated were the Virtual correctly configured for Availability Monitoring, so I'm pushing to get that straightened out.)

 

  • Hi Greg,

     

    Are you sure that the ONLY change in your F5 configuration was the upgrade from HF3 to HF4?

     

    "Operation not supported" error usually happens if you are trying to modify the headers AFTER another iRule assigned to the same virtual server (or the same iRule but elsewhere in the code) has already responded/closed or redirected this request.

     

    This potentially might explain why you see this issue intermittently - if your iRule redirects some users based on some user-specific criteria (e.g. URL or a cookie) - these users will have their connections reset and TCL error "Operation not supported" logged.

     

    Hope this helps,

     

    Sam