client side
3 TopicsCLIENT_ACCEPTED, SERVER_ACCEPTED and TCP::collect
Hi, That is probably obvious but I can't really figure out how TCP::collect is working depending on where it was enabled. When CLIENT_ACCEPTED is triggered it means three-way handshake was finished and we are waiting for packet from client. Now when TCP::collect is enabled what is collected: Only packets from client to VS (on clientside of the connection) Both packets from client and to client (send from VS to client) Same for SERVER_ACCEPTED (triggered after three-way handshake between VS and pool member is finished) Only packets from VS to pool member (on serverside of the connection) Both packets from VS to pool member and from pool member to VS What happens when iRule is like that: when CLIENT_ACCEPTED { set ehlo 0 SSL::disable } when SERVER_CONNECTED { TCP::collect } when CLIENT_DATA { set lcpayload [string tolower [TCP::payload]] if { $lcpayload starts_with "ehlo" } { set ehlo 1 serverside { TCP::collect } TCP::release TCP::collect } elseif { $lcpayload starts_with "starttls" } { TCP::respond "220 Ready to start TLS\r\n" TCP::payload replace 0 [TCP::payload length] "" TCP::release SSL::enable } else { TCP::release } } when SERVER_DATA { if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } { TCP::payload replace 0 0 "250-STARTTLS\r\n" } TCP::release clientside { TCP::collect } } No TCP:collect in CLIENT_ACCEPTED but instead clientside { TCP::collect } in SERVER_ACCEPTED. What is exact flow here (comparing to TCP::collect triggered in CLIENT_ACCEPTED)? What will be flow in case serverside { TCP::collect } is used? Is TCP::release (in SERVER_DATA) used to release packet from VS to pool member or as well from client to VS? My assumption for above is like that: Packet from client to VIP is not placed in the buffer - no TCP:collect in CLIENT_ACCEPTED This packet (first packet after three-way handshake on clientside) is triggering three-way handshake on serverside (between VS and pool member) Then TCP::collect is triggered so packet from VS to pool member is placed into buffer When full packet is placed in buffer SERVER_DATA is triggered In SERVER_DATA clientside { TCP::collect} is triggered - so is that mean that second packet from client to VIP is placed into buffer? After collecting full packet CLIENT_DATA is triggered for packet between VS and pool member (serverside { TCP::collect } Collected clientside packet is released to the serverside (TCP::release) Collecting of following clientside packet is enabled (TCP::collect) so next clientside packet will be collected So in short this code is just skipping first clientside packet and starts collecting clientside packets from second packet or it means first packet from client to pool member is delivered without collecting and first packet from pool member to client is placed into buffer? Or I completely misunderstand it? Piotr500Views0likes4CommentsCLIENT_ACCEPTED, SERVER_ACCEPTED and TCP::collect
Hi, That is probably obvious but I can't really figure out how TCP::collect is working depending on where it was enabled. When CLIENT_ACCEPTED is triggered it means three-way handshake was finished and we are waiting for packet from client. Now when TCP::collect is enabled what is collected: Only packets from client to VS (on clientside of the connection) Both packets from client and to client (send from VS to client) Same for SERVER_ACCEPTED (triggered after three-way handshake between VS and pool member is finished) Only packets from VS to pool member (on serverside of the connection) Both packets from VS to pool member and from pool member to VS What happens when iRule is like that: when CLIENT_ACCEPTED { set ehlo 0 SSL::disable } when SERVER_CONNECTED { TCP::collect } when CLIENT_DATA { set lcpayload [string tolower [TCP::payload]] if { $lcpayload starts_with "ehlo" } { set ehlo 1 serverside { TCP::collect } TCP::release TCP::collect } elseif { $lcpayload starts_with "starttls" } { TCP::respond "220 Ready to start TLS\r\n" TCP::payload replace 0 [TCP::payload length] "" TCP::release SSL::enable } else { TCP::release } } when SERVER_DATA { if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } { TCP::payload replace 0 0 "250-STARTTLS\r\n" } TCP::release clientside { TCP::collect } } No TCP:collect in CLIENT_ACCEPTED but instead clientside { TCP::collect } in SERVER_ACCEPTED. What is exact flow here (comparing to TCP::collect triggered in CLIENT_ACCEPTED)? What will be flow in case serverside { TCP::collect } is used? Is TCP::release (in SERVER_DATA) used to release packet from VS to pool member or as well from client to VS? My assumption for above is like that: Packet from client to VIP is not placed in the buffer - no TCP:collect in CLIENT_ACCEPTED This packet (first packet after three-way handshake on clientside) is triggering three-way handshake on serverside (between VS and pool member) Then TCP::collect is triggered so packet from VS to pool member is placed into buffer When full packet is placed in buffer SERVER_DATA is triggered In SERVER_DATA clientside { TCP::collect} is triggered - so is that mean that second packet from client to VIP is placed into buffer? After collecting full packet CLIENT_DATA is triggered for packet between VS and pool member (serverside { TCP::collect } Collected clientside packet is released to the serverside (TCP::release) Collecting of following clientside packet is enabled (TCP::collect) so next clientside packet will be collected So in short this code is just skipping first clientside packet and starts collecting clientside packets from second packet or it means first packet from client to pool member is delivered without collecting and first packet from pool member to client is placed into buffer? Or I completely misunderstand it? Piotr268Views0likes0CommentsMissing Endpoint-Security (Client side) tab in APM
Hi, Somehow I'm missing the tab in APM. I'm running a Lab-License, but also tried with a Eval-License - in both cases, I can't add any features like AV check or similar into my APM. Is there something else necessary? Any package or similar that needs to be uploaded to F5 to enable the checks? Or do I need to provision any additional modules (curr. LTM/ASM/APM) Running Version 12.1 Thanks in advance!211Views0likes1Comment