Forum Discussion

Anthony_A's avatar
Anthony_A
Icon for Altostratus rankAltostratus
Oct 05, 2020

TCL Error with F5 Verified iRule "_sys_https_redirect"

Hi guys,

 

I've noticed that we're seeing the following message logged in our BIG-IP LTM logs after upgrading our BIG-IP LTMs from version 12.1 to 14.1 (specifically going from 12.1.3.2 to 14.1.2.6):

err tmm[11128]: 01220001:3: TCL error: /Common/_sys_https_redirect <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 1)   invoked from within "HTTP::host"

 

I'm aware of https://support.f5.com/csp/article/K23237429 and the fix (I've used the fix on many of our existing iRules with success). But I can't apply the same fix for this rule because of it is one of the sacred F5 verified iRules. The rule still works without any issues visible to the end user, but the sysadmin in me likes to fix the source of errors that I see in the logs, if possible.

 

Thanks,

Tony

application delivery
iRules
LTM

4 Replies

Sort By
    • Anthony_A's avatar
      Anthony_A
      Icon for Altostratus rankAltostratus
      Oct 06, 2020

      That was it! Out of the 600+ HTTP-to-HTTPS redirect virtuals with the _sys_https_redirect iRule, a handful of them had second iRules that had HTTP::respond events. I just removed those secondary iRules after I determined I didn't need them to do what they were doing. Logs look good now. Thanks again for your help!

      If anyone is curious, I came up with the below bash script to quickly find the culprit virtuals (I didn't have enough time to get fancy though so it just echos the comma-delimited output to stdout).

      #!/bin/bash
 
IRULE="_sys_https_redirect"
 
VIRTUALS=$(tmsh list ltm virtual one-line | grep -i ${IRULE} | cut -d' ' -f3)
 
for VS in $VIRTUALS
do    
    IRULES=$(tmsh list ltm virtual "${VS}" one-line | grep rules | sed -e 's/.* rules { //' -e 's/ }.*//')
    echo "$VS,$IRULES"
done
      • Mayur_Sutare's avatar
        Mayur_Sutare
        Icon for MVP rankMVP
        Oct 07, 2020

        I suspected the same that it was due to other iRules. I am glad it helped you.

        Also thanks for sharing above script. Cheers!

    • Anthony_A's avatar
      Anthony_A
      Icon for Altostratus rankAltostratus
      Oct 06, 2020

      Hi Mayur,

       

      Thanks for the response. I didn't even think of that. Usually with our HTTP virtual servers that only exist to redirect to their HTTPS counterparts, there is usually only the "_sys_https_redirect" iRule. But it's possible there may be HTTP virtual servers with the _sys_https_redirect iRule and another iRule.

       

      Problem is though is that we have a couple thousand virtual servers with maybe a third of them only existing for HTTP-to-HTTPS redirection. Will need to write a quick script to find all the virtuals that have the "_sys_https_redirect" iRule attached and another iRule.

       

      Thanks for the advice! Will reply back with what I find.