Forum Discussion
TCL Error possibly causing TCP Resets?
Good day all,
Thanks for taking the time to read and hopefully respond with helpful suggestions on my issue. We are experiencing random TCP Reset / Forcibly closed connection issues from Windows Web Application Servers to our iPaaS DB servers and we are investigating traffic routing and a few other options. I've also recently discovered these "TCL Errors...." in our logs. Internet search suggests that improper iRules with [LB::server pool] configuration could cause TCP Resets.
Based on the image of the logs below and the portion of irule that the logs reference, what is potentially incorrect with my code on lines 1 and 282?:
iRule Lines 1 - 52:
when HTTP_REQUEST {
if { [HTTP::has_responded] } { return };
# X-Forwarded header clean-up
if {[HTTP::header exists "X-Forwarded-Host"]}{
HTTP::header remove X-Forwarded-Host
}
if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked. from: [IP::client_addr]"
drop
}
if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"
drop
}
if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com"} {
log local0. "Referer [HTTP::header "Referer"] is blocked. from: [IP::client_addr]"
reject
}
if { [string tolower [HTTP::path]] contains "<redadcted>" && (![class match [IP::client_addr] equals "/Common/<redacted>"])} {
log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"
drop
}
elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
if { !( [HTTP::header exists "X-Forwarded-Port"]) }{
HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]
}
pool <pool_name>
if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
}
else {
HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"
}
}
elseif { [active_members [LB::server pool]] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
}
else {
HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"
}
}
}
iRule Lines 272 - 294:
else {
pool <pool>
if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
}
else {
HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"
(line 282)}
}
elseif { [active_members [LB::server pool]] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
}
else {
HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"
}
}
}
}
I sincerely appreciate your time and energy in this. Thanks.
- Paul C.
Try this irule.
when HTTP_REQUEST {
if { [HTTP::has_responded] } { return }
# X-Forwarded header clean-up
if { [HTTP::header exists "X-Forwarded-Host"] } {
HTTP::header remove X-Forwarded-Host
}# Block specific user agents (blocklist)
if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked. From: [IP::client_addr]"
drop
return
}# Block Claudebot on specific domains
if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] &&
[string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"
drop
return
}# Block specific referer
if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com" } {
log local0. "Referer [HTTP::header "Referer"] is blocked. From: [IP::client_addr]"
reject
return
}# Block or allow based on IP class and path
if { [string tolower [HTTP::path]] contains "<redacted>" &&
(![class match [IP::client_addr] equals "/Common/<redacted>"]) } {
log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"
drop
return
}# Condition for certain paths
elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {if { ![HTTP::header exists "X-Forwarded-Port"] } {
HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]
}# Pool assignment
pool <pool_name># Check feature flag or maintenance mode
if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
elseif { [active_members <pool_name>] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
}# Default pool assignment
else {
pool <pool>if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
elseif { [active_members <pool>] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
}
}
6 Replies
- Injeyan_Kostas
Nacreous
Hello pcourtois
As I see you are using [LB::server pool] under HTTP_REQUEST
In this case [LB::server pool] returns default pool as no lb selection has been happened yet
So my question is do you have a default pool configured?
- pcourtois
Cirrus
Thanks for your response. No default pool is configured.
- Injeyan_Kostas
Nacreous
So then better look for specific pool active members
like VGF5 mentions below.
- VGF5
Cumulonimbus
Try this irule.
when HTTP_REQUEST {
if { [HTTP::has_responded] } { return }
# X-Forwarded header clean-up
if { [HTTP::header exists "X-Forwarded-Host"] } {
HTTP::header remove X-Forwarded-Host
}# Block specific user agents (blocklist)
if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked. From: [IP::client_addr]"
drop
return
}# Block Claudebot on specific domains
if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] &&
[string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {
log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"
drop
return
}# Block specific referer
if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com" } {
log local0. "Referer [HTTP::header "Referer"] is blocked. From: [IP::client_addr]"
reject
return
}# Block or allow based on IP class and path
if { [string tolower [HTTP::path]] contains "<redacted>" &&
(![class match [IP::client_addr] equals "/Common/<redacted>"]) } {
log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"
drop
return
}# Condition for certain paths
elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {if { ![HTTP::header exists "X-Forwarded-Port"] } {
HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]
}# Pool assignment
pool <pool_name># Check feature flag or maintenance mode
if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
elseif { [active_members <pool_name>] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
}# Default pool assignment
else {
pool <pool>if { [class match "enabled" equals <redacted>] } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
elseif { [active_members <pool>] == 0 } {
if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
return
} else {
HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
return
}
}
}
}- pcourtois
Cirrus
Thank you. I'll give this a try and update the thread once tested/verified. Much appreciated.
- pcourtois
Cirrus
Good day all, thank you so much for the time and energy into this issue. The change was made and now we are no longer seeing the errors. I appreciate all the help. Be well.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com