Forum Discussion

pcourtois's avatar
pcourtois
Icon for Cirrus rankCirrus
Jul 08, 2025
Solved

TCL Error possibly causing TCP Resets?

Good day all,

Thanks for taking the time to read and hopefully respond with helpful suggestions on my issue.  We are experiencing random TCP Reset / Forcibly closed connection issues from Windows Web Application Servers to our iPaaS DB servers and we are investigating traffic routing and a few other options.  I've also recently discovered these "TCL Errors...." in our logs.  Internet search suggests that improper iRules with [LB::server pool] configuration could cause TCP Resets.  

Based on the image of the logs below and the portion of irule that the logs reference, what is potentially incorrect with my code on lines 1 and 282?:

iRule Lines 1 - 52:

when HTTP_REQUEST {

 

    if { [HTTP::has_responded] } { return };

 

    #  X-Forwarded header clean-up

    if {[HTTP::header exists "X-Forwarded-Host"]}{

        HTTP::header remove X-Forwarded-Host

    }

 

    if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {

        log local0. "User_agent [HTTP::header "User-Agent"] is blocked. from: [IP::client_addr]"

        drop

    }

 

    if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {

        log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"

        drop

    }

 

    if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com"} {

        log local0. "Referer [HTTP::header "Referer"] is blocked. from: [IP::client_addr]"

        reject

    }

 

    if { [string tolower [HTTP::path]] contains "<redadcted>" && (![class match [IP::client_addr] equals "/Common/<redacted>"])} {

        log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"

        drop

    }

    elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

 

        if { !( [HTTP::header exists "X-Forwarded-Port"]) }{

            HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]

        }

        pool <pool_name>

 

        if { [class match "enabled" equals <redacted>] } {

                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"

                }

                else {

                    HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"

                }

            }

        elseif { [active_members [LB::server pool]] == 0 } {

            if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

                HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"

            }

            else {

                HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"

            }

        }

    }

 

iRule Lines 272 - 294:

else {

        pool <pool>

        if { [class match "enabled" equals <redacted>] } {

                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"

                }

                else {

                    HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"

(line 282)}

            }

        elseif { [active_members [LB::server pool]] == 0 } {

            if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

                HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"

            }

            else {

                HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate"

            }

        }

 

    }

}

 

I sincerely appreciate your time and energy in this.  Thanks.

- Paul C. 

  • Try this irule.

    when HTTP_REQUEST {

        if { [HTTP::has_responded] } { return }

        # X-Forwarded header clean-up
        if { [HTTP::header exists "X-Forwarded-Host"] } {
            HTTP::header remove X-Forwarded-Host
        }

        # Block specific user agents (blocklist)
        if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {
            log local0. "User_agent [HTTP::header "User-Agent"] is blocked. From: [IP::client_addr]"
            drop
            return
        }

        # Block Claudebot on specific domains
        if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && 
             [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {
            log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"
            drop
            return
        }

        # Block specific referer
        if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com" } {
            log local0. "Referer [HTTP::header "Referer"] is blocked. From: [IP::client_addr]"
            reject
            return
        }

        # Block or allow based on IP class and path
        if { [string tolower [HTTP::path]] contains "<redacted>" && 
             (![class match [IP::client_addr] equals "/Common/<redacted>"]) } {
            log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"
            drop
            return
        }

        # Condition for certain paths
        elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

            if { ![HTTP::header exists "X-Forwarded-Port"] } {
                HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]
            }

            # Pool assignment
            pool <pool_name>

            # Check feature flag or maintenance mode
            if { [class match "enabled" equals <redacted>] } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
            elseif { [active_members <pool_name>] == 0 } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
        }

        # Default pool assignment
        else {
            pool <pool>

            if { [class match "enabled" equals <redacted>] } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
            elseif { [active_members <pool>] == 0 } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
        }
    }

6 Replies

  • Hello pcourtois​ 

    As I see you are using [LB::server pool] under HTTP_REQUEST

    In this case [LB::server pool] returns default pool as no lb selection has been happened yet

    So my question is do you have a default pool configured?

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus

    Try this irule.

    when HTTP_REQUEST {

        if { [HTTP::has_responded] } { return }

        # X-Forwarded header clean-up
        if { [HTTP::header exists "X-Forwarded-Host"] } {
            HTTP::header remove X-Forwarded-Host
        }

        # Block specific user agents (blocklist)
        if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } {
            log local0. "User_agent [HTTP::header "User-Agent"] is blocked. From: [IP::client_addr]"
            drop
            return
        }

        # Block Claudebot on specific domains
        if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && 
             [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } {
            log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]"
            drop
            return
        }

        # Block specific referer
        if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com" } {
            log local0. "Referer [HTTP::header "Referer"] is blocked. From: [IP::client_addr]"
            reject
            return
        }

        # Block or allow based on IP class and path
        if { [string tolower [HTTP::path]] contains "<redacted>" && 
             (![class match [IP::client_addr] equals "/Common/<redacted>"]) } {
            log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]"
            drop
            return
        }

        # Condition for certain paths
        elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } {

            if { ![HTTP::header exists "X-Forwarded-Port"] } {
                HTTP::header insert X-Forwarded-Port [TCP::local_port clientside]
            }

            # Pool assignment
            pool <pool_name>

            # Check feature flag or maintenance mode
            if { [class match "enabled" equals <redacted>] } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
            elseif { [active_members <pool_name>] == 0 } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
        }

        # Default pool assignment
        else {
            pool <pool>

            if { [class match "enabled" equals <redacted>] } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
            elseif { [active_members <pool>] == 0 } {
                if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } {
                    HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json"
                    return
                } else {
                    HTTP::respond 503 content [ifile get <redacted>.html] "Cache-Control" "no-store, must-revalidate"
                    return
                }
            }
        }
    }

    • pcourtois's avatar
      pcourtois
      Icon for Cirrus rankCirrus

      Thank you.  I'll give this a try and update the thread once tested/verified.  Much appreciated.  

  • Good day all, thank you so much for the time and energy into this issue.  The change was made and now we are no longer seeing the errors.  I appreciate all the help.  Be well.