Using iRules with DTLS

Question

Per F5 support, I've implemented DTLS for our Network Access APM VPN connections. The problem is that I have an irule that evidently needs an HTTP profile to work and I don't have that available in my DTLS virtual server.  Here is the error I'm getting:&nbsp;
01071912:3: ACCESS::restrict_irule_events in rule (/Common/EmoryLogging) requires an associated ACCESS profile on the virtual-server (/Common/EmoryVPN_DTLS_vs).&nbsp;
Any ideas on how to fix this?  I'll post my irule below.&nbsp;

philipped · Answer

Hi, &nbsp;I see your post is 4 months old and I am trying to find a solution to this issue as well.Have you found a solution or are you still looking for one?&nbsp;

aefting · Answer

Here is my irule:
when CLIENT_ACCEPTED {
 This is required to allow HTTP_REQUEST event to key off of APM internal URI 
ACCESS::restrict_irule_events disable
}
when ACCESS_POLICY_COMPLETED {
 After VPE policy is completed, check if user has been denied. A session variable of "session.custom.denyreason" is set in the VPE to provide an errorcode for logging purposes
 Note that ACCESS::policy result isn't evaluated in the ACCESS_SESSION_CLOSED event. Placing the logging here removes the need to create a new session variable containing the result.

if {[ACCESS::policy result] equals "deny"} {
      catch {set starttime [ACCESS::session data get "session.user.starttime"]}
      catch {set userip [ACCESS::session data get "session.user.clientip"]}
      catch {set username [ACCESS::session data get "session.logon.last.username"]}
      catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
              catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
              catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
      catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
      catch {set platform [ACCESS::session data get "session.client.platform"]}
              catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
              catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
      catch {set browser [ACCESS::session data get "session.client.type"]}
      catch {set version [ACCESS::session data get "session.client.version"]}
      catch {set url [ACCESS::session data get "session.server.network.name"]}
              catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
      catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]}  
      log local0. "Denied ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"

}
}
when HTTP_REQUEST {
 The "session.assigned.clientip" is assigned after ACCESS_POLICY_COMPLETED and before ACCESS_SESSION_CLOSED. In order to capture it, we key off of an internal URI 
 hit by client when VPN is established. We wait a few seconds for the lease pool IP address to be assigned and then log the address here.

if { [HTTP::uri] starts_with "/myvpn?sess=" } {
    after 5000 {
    catch {set starttime [ACCESS::session data get "session.user.starttime"]}
    catch {set userip [ACCESS::session data get "session.user.clientip"]}
    catch {set username [ACCESS::session data get "session.logon.last.username"]}
    catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
    catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
    catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
    catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
    catch {set platform [ACCESS::session data get "session.client.platform"]}
            catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
            catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
    catch {set browser [ACCESS::session data get "session.client.type"]}
    catch {set version [ACCESS::session data get "session.client.version"]}
    catch {set url [ACCESS::session data get "session.server.network.name"]}
            catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
            catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]} 
    log local0. "Established ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"
}  
}

}

Forum Discussion

Using iRules with DTLS

Recent Discussions

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

BIG-IP Edge Endpoint Inspection Failure pre-VPN

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Using Tcl packages in iRules

iRules Heat Map - US Only

Migrating between sites using stretched VLANs

Help with irule using switch

decrypted tcpdump capture without using an iRule using tshark

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS