cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

TCL Error with F5 Verified iRule "_sys_https_redirect"

Anthony_A
Altostratus
Altostratus

Hi guys,

 

I've noticed that we're seeing the following message logged in our BIG-IP LTM logs after upgrading our BIG-IP LTMs from version 12.1 to 14.1 (specifically going from 12.1.3.2 to 14.1.2.6):

err tmm[11128]: 01220001:3: TCL error: /Common/_sys_https_redirect <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 1)   invoked from within "HTTP::host"

 

I'm aware of https://support.f5.com/csp/article/K23237429 and the fix (I've used the fix on many of our existing iRules with success). But I can't apply the same fix for this rule because of it is one of the sacred F5 verified iRules. The rule still works without any issues visible to the end user, but the sysadmin in me likes to fix the source of errors that I see in the logs, if possible.

 

Thanks,

Tony

4 REPLIES 4

Hello,

 

Do you have multiple iRules on the same vServer?

Hi Mayur,

 

Thanks for the response. I didn't even think of that. Usually with our HTTP virtual servers that only exist to redirect to their HTTPS counterparts, there is usually only the "_sys_https_redirect" iRule. But it's possible there may be HTTP virtual servers with the _sys_https_redirect iRule and another iRule.

 

Problem is though is that we have a couple thousand virtual servers with maybe a third of them only existing for HTTP-to-HTTPS redirection. Will need to write a quick script to find all the virtuals that have the "_sys_https_redirect" iRule attached and another iRule.

 

Thanks for the advice! Will reply back with what I find.

 

That was it! Out of the 600+ HTTP-to-HTTPS redirect virtuals with the _sys_https_redirect iRule, a handful of them had second iRules that had HTTP::respond events. I just removed those secondary iRules after I determined I didn't need them to do what they were doing. Logs look good now. Thanks again for your help!

 

If anyone is curious, I came up with the below bash script to quickly find the culprit virtuals (I didn't have enough time to get fancy though so it just echos the comma-delimited output to stdout).

 

#!/bin/bash   IRULE="_sys_https_redirect"   VIRTUALS=$(tmsh list ltm virtual one-line | grep -i ${IRULE} | cut -d' ' -f3)   for VS in $VIRTUALS do IRULES=$(tmsh list ltm virtual "${VS}" one-line | grep rules | sed -e 's/.* rules { //' -e 's/ }.*//') echo "$VS,$IRULES" done

 

I suspected the same that it was due to other iRules. I am glad it helped you.

Also thanks for sharing above script. Cheers!