Forum Discussion
AltostratusTCL error with an universal irule
I implement a VS that use an Irule to do persistence based on XFF information, but I got a TCL error when the server response to the client
It seems it happened only when the client is an Microfocus access gateway , and not if the client is an nginx server,
Irule definition :
----------------------------
when HTTP_REQUEST {
set clientip ""
if { [HTTP::header exists "X-Forwarded-For"] } {
set clientip [HTTP::header "X-Forwarded-For"]
} else {
set clientip [IP::client_addr]
}
persist uie $clientip
log local0.info "add persist XFF=$clientip"
}
when HTTP_RESPONSE {
log local0.info "$clientip"
persist add uie $clientip
}
--------------------------------------------------------------
What I see in the logs is the information i logged with the Irule that seems OK , and then a TCL error , and the F5 reset the connection to the client and to the server.
Sun Apr 4 11:46:21 CEST 2021 err lbc3sd01 tmm1 [20064] 01220001 TCL error: /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE> - bad option "10.231.227.101": must be any, virtual, service, or pool while executing "persist add uie $clientip"
Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE>: x.x.169.38, 10.231.227.101
Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_REQUEST>: add persist XFF=x.x.169.38, 10.231.227.101
in the logs of the client , I see also
Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:info] [pid 32444:tid 140401994258176] [client 10.231.227.101:54900] received response from server
Apr 1 21:55:22 nam02 httpd[32444]: [ssl:debug] [pid 32444:tid 140401994258176] ssl_engine_io.c(2214): [remote 10.219.4.66:8443] OpenSSL: I/O error, 5 bytes expected to read on BIO#7fb15400bad0 [mem: 7fb154067963]
Apr 1 21:55:22 nam02 httpd[32444]: [ssl:info] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [remote 10.219.4.66:8443] AH01991: SSL input filter read failed.
Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:error] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [client 10.231.227.101:54900] AH01102: error reading status line from remote server 10.219.4.66:8443
Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:debug] [pid 32444:tid 140401994258176] mod_proxy_http.c(1442): [client 10.231.227.101:54900] AH01105: NOT Closing connection to client although reading from backend server 10.219.4.66:8443 failed.
Apr
Is there a reason you are adding persistence in the http response event?
I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.
when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }
6 Replies
spalandeNacreous
Is there a reason you are adding persistence in the http response event?
I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.
when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }
JumboAre you sure ? for me , You can only add persistence records to the table when the server is selected,
so in the response, you add a record to the table and in the request, you readit
- spalande
Yes, to my knowledge. persist add uie is used if persistence needs to be created based on the server response. e.g. JSESSION ID or custom cookie created.
I would suggest if possible try in nonprod environment. or we can either wait to see if someone else has other opinion here.
- Jumbo
I 'll tried to implement it as you proposed and will keep you informed about the result
Jacques
- Jumbo
Hi F5rocks
I implemented it, and it seems working as expected.
thanks very much for your help
Jacques
- spalande
That's nice to hear. If you select this answer as best it would close this conversation. Thanks!
