For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scott_Hopkins's avatar
Scott_Hopkins
Icon for Nimbostratus rankNimbostratus
May 14, 2014

Timeout for TCP/SSL Collect

Is there any way to put a limit on the SSL::collect or TCP::collect actions? I can't seem to find a built in function to do this, and was curious if anyone had a good method to do this.

 

application delivery
devops
iRules

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 18, 2014

    i think TCP::collect does not need timeout because it will always be fired.

    With TCP::collect, the event for processing the data (CLIENT_DATA or SERVER_DATA ) will fire without TCP::release being called

    TCP::collect

    https://devcentral.f5.com/wiki/iRules.TCP__collect.ashx

    for SSL::collect, i think after command may be usable.

     config

[root@ve11a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
    when CLIENTSSL_HANDSHAKE {
  log local0. ""
  set mon [\
    after 100 {
      TCP::close
    }\
  ]
  SSL::collect 1500
}
when CLIENTSSL_DATA {
  log local0. ""
}
}

 client

[root@centos1 ~] curl -d test=1234567890 -ik https://172.28.24.10
curl: (52) Empty reply from server

    after

    https://devcentral.f5.com/wiki/iRules.after.ashx
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 19, 2014

    Both TCP::collect and SSL::collect have packet length parameter options. Can you elaborate on what you're trying to do? Are you trying to perform some function if no data is collected over some period of time? I'd be cautious in the use of an explicit timing function like after. It's definitely useful here, but can have some implications of CPU utilization.