cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

TCL error with an universal irule

Jumbo
Altostratus
Altostratus

I implement a VS that use an Irule to do persistence based on XFF information, but I got a TCL error when the server response to the client

It seems it happened only when the client is an Microfocus access gateway , and not if the client is an nginx server,

 

 

Irule definition :

----------------------------

when HTTP_REQUEST {

  set clientip ""

  if { [HTTP::header exists "X-Forwarded-For"] } {

    set clientip [HTTP::header "X-Forwarded-For"]

  } else {

    set clientip [IP::client_addr]

  }

  persist uie $clientip

  log local0.info "add persist XFF=$clientip"

 

when HTTP_RESPONSE {

  log local0.info "$clientip"

  persist add uie $clientip

}

--------------------------------------------------------------

 

What I see in the logs is the information i logged with the Irule that seems OK , and then a TCL error , and the F5 reset the connection to the client and to the server.

 

Sun Apr 4 11:46:21 CEST 2021 err lbc3sd01 tmm1 [20064] 01220001 TCL error: /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE> - bad option "10.231.227.101": must be any, virtual, service, or pool while executing "persist add uie $clientip"

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE>: x.x.169.38, 10.231.227.101

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_REQUEST>: add persist XFF=x.x.169.38, 10.231.227.101

 

 

in the logs of the client , I see also

 

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:info] [pid 32444:tid 140401994258176] [client 10.231.227.101:54900] received response from server

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:debug] [pid 32444:tid 140401994258176] ssl_engine_io.c(2214): [remote 10.219.4.66:8443] OpenSSL: I/O error, 5 bytes expected to read on BIO#7fb15400bad0 [mem: 7fb154067963]

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:info] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [remote 10.219.4.66:8443] AH01991: SSL input filter read failed.

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:error] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [client 10.231.227.101:54900] AH01102: error reading status line from remote server 10.219.4.66:8443

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:debug] [pid 32444:tid 140401994258176] mod_proxy_http.c(1442): [client 10.231.227.101:54900] AH01105: NOT Closing connection to client although reading from backend server 10.219.4.66:8443 failed.

Apr 

 

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

Is there a reason you are adding persistence in the http response event?

​I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.

when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }

View solution in original post

6 REPLIES 6

SanjayP
MVP
MVP

Is there a reason you are adding persistence in the http response event?

​I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.

when HTTP_REQUEST { if {[HTTP::header X-Forwarded-For] != ""} then { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] } else { persist uie [IP::client_addr] } }

Jumbo
Altostratus
Altostratus

Are you sure ? for me , You can only add persistence records to the table when the server is selected,

so in the response, you add a record to the table and in the request, you readit

SanjayP
MVP
MVP

Yes, to my knowledge. persist add uie is used if persistence needs to be created based on the server response. e.g. JSESSION ID or custom cookie created.

https://devcentral.f5.com/s/question/0D51T00006oHHj1/universal-persistence-irules-persist-uie-comman...

 

I would suggest if possible try in nonprod environment. or we can either wait to see if someone else has other opinion here.

Jumbo
Altostratus
Altostratus

I 'll tried to implement it as you proposed and will keep you informed about the result

 

Jacques

Jumbo
Altostratus
Altostratus

Hi F5rocks

 

I implemented it, and it seems working as expected.

thanks very much for your help

 

Jacques

That's nice to hear. If you select this answer as best it would close this conversation. Thanks! ​