Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

TCL error: _cgc_pick_clientside

rolf
Cirrus
Cirrus

Hi,

 

in an ASM-LTM (Perimeter) Setup I see frquently the following logs:

 

***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"***

 

Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set.

 

Thanks, Rolf

 

4 REPLIES 4

Greg_Jewett
Cirrus
Cirrus

I too am getting a very similar error. It is definitely a error executing iRule code, but I can not find the iRule.

err tmm[10782]: 01220001:3: TCL error: _cgc_pick_clientside <CLIENT_DATA> - bad option "-31744": must be -exact, -glob, -regexp, or --     while executing "switch $tls_version {                 "769" -                 "770" -                 "771" {                     if { ($tls_xacttype == 22) } {      ..."

 

Samir
Nacreous
Nacreous

 , Have you executed any scanning to Management IP/Self-IP. Looks some scanning you have performed..

Greg_Jewett
Cirrus
Cirrus

Not sure what you mean, but - now that I look back at my own post, I believe this is a very simple error - there was a value of "-31744" that was sent to a switch statement that did not have a corresponding matching value. Maybe this is a default log message to spell out the fact that not match was found and a default option was not given to choose. The other meaning could mean that the value "-31744" was completely invalid for a switch statement, that it needs to be a positive value or within a specific range.

 

These are just hypothesis's.

Steve_MC
Nimbostratus
Nimbostratus

I found this page searching for an answer to the exact question  was asking, kept searching, and was eventually able to find this Support Solution:

 

https://support.f5.com/csp/article/K54469707

 

It mentions that this is actually a big3d error and sure enough, when I checked /var/log/gtm I found SSL Error messages that matched up with these /var/log/ltm messages. Even better, the /var/log/gtm messages list the IP that these connections are coming from, which in my case turned out to be one of our internal security appliances doing a scan.