Altostratus

Apr 04, 2021

TCL error with an universal irule

I implement a VS that use an Irule to do persistence based on XFF information, but I got a TCL error when the server response to the client

It seems it happened only when the client is an Microfocus access gateway , and not if the client is an nginx server,

Irule definition :

----------------------------

when HTTP_REQUEST {

set clientip ""

if { [HTTP::header exists "X-Forwarded-For"] } {

set clientip [HTTP::header "X-Forwarded-For"]

} else {

set clientip [IP::client_addr]

}

persist uie $clientip

log local0.info "add persist XFF=$clientip"

}

when HTTP_RESPONSE {

log local0.info "$clientip"

persist add uie $clientip

}

--------------------------------------------------------------

What I see in the logs is the information i logged with the Irule that seems OK , and then a TCL error , and the F5 reset the connection to the client and to the server.

Sun Apr 4 11:46:21 CEST 2021 err lbc3sd01 tmm1 [20064] 01220001 TCL error: /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE> - bad option "10.231.227.101": must be any, virtual, service, or pool while executing "persist add uie $clientip"

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE>: x.x.169.38, 10.231.227.101

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_REQUEST>: add persist XFF=x.x.169.38, 10.231.227.101

in the logs of the client , I see also

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:info] [pid 32444:tid 140401994258176] [client 10.231.227.101:54900] received response from server

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:debug] [pid 32444:tid 140401994258176] ssl_engine_io.c(2214): [remote 10.219.4.66:8443] OpenSSL: I/O error, 5 bytes expected to read on BIO#7fb15400bad0 [mem: 7fb154067963]

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:info] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [remote 10.219.4.66:8443] AH01991: SSL input filter read failed.

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:error] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [client 10.231.227.101:54900] AH01102: error reading status line from remote server 10.219.4.66:8443

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:debug] [pid 32444:tid 140401994258176] mod_proxy_http.c(1442): [client 10.231.227.101:54900] AH01105: NOT Closing connection to client although reading from backend server 10.219.4.66:8443 failed.

Apr

application delivery

BIG-IP

iRules

spalande
Apr 04, 2021
Is there a reason you are adding persistence in the http response event?
I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.

when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }

when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }

Forum Discussion

TCL error with an universal irule

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

iRule syntax error

Universal Inspection iRule for LTM Session Persistent

ASM Error

Universal persistence using IPV6 with iRule..

Rewrite Profile JSON error

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS