Forum Discussion

Jumbo's avatar
Jumbo
Icon for Altostratus rankAltostratus
Apr 04, 2021

TCL error with an universal irule

I implement a VS that use an Irule to do persistence based on XFF information, but I got a TCL error when the server response to the client

It seems it happened only when the client is an Microfocus access gateway , and not if the client is an nginx server,

 

 

Irule definition :

----------------------------

when HTTP_REQUEST {

  set clientip ""

  if { [HTTP::header exists "X-Forwarded-For"] } {

    set clientip [HTTP::header "X-Forwarded-For"]

  } else {

    set clientip [IP::client_addr]

  }

  persist uie $clientip

  log local0.info "add persist XFF=$clientip"

 

when HTTP_RESPONSE {

  log local0.info "$clientip"

  persist add uie $clientip

}

--------------------------------------------------------------

 

What I see in the logs is the information i logged with the Irule that seems OK , and then a TCL error , and the F5 reset the connection to the client and to the server.

 

Sun Apr 4 11:46:21 CEST 2021 err lbc3sd01 tmm1 [20064] 01220001 TCL error: /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE> - bad option "10.231.227.101": must be any, virtual, service, or pool while executing "persist add uie $clientip"

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_RESPONSE>: x.x.169.38, 10.231.227.101

Sun Apr 4 11:46:21 CEST 2021 info lbc3sd01 tmm1 [20064] Rule /LAN_10G/IDP.RE7.PERSIST.ON.XFF <HTTP_REQUEST>: add persist XFF=x.x.169.38, 10.231.227.101

 

 

in the logs of the client , I see also

 

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:info] [pid 32444:tid 140401994258176] [client 10.231.227.101:54900] received response from server

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:debug] [pid 32444:tid 140401994258176] ssl_engine_io.c(2214): [remote 10.219.4.66:8443] OpenSSL: I/O error, 5 bytes expected to read on BIO#7fb15400bad0 [mem: 7fb154067963]

Apr 1 21:55:22 nam02 httpd[32444]: [ssl:info] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [remote 10.219.4.66:8443] AH01991: SSL input filter read failed.

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:error] [pid 32444:tid 140401994258176] (104)Connection reset by peer: [client 10.231.227.101:54900] AH01102: error reading status line from remote server 10.219.4.66:8443

Apr 1 21:55:22 nam02 httpd[32444]: [proxy_http:debug] [pid 32444:tid 140401994258176] mod_proxy_http.c(1442): [client 10.231.227.101:54900] AH01105: NOT Closing connection to client although reading from backend server 10.219.4.66:8443 failed.

Apr 

 

  • Is there a reason you are adding persistence in the http response event?

    ​I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.

    when HTTP_REQUEST { 
     if {[HTTP::header X-Forwarded-For] != ""} then {
    persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0]
        } else {
    persist uie [IP::client_addr]
    }
    }

  • Is there a reason you are adding persistence in the http response event?

    ​I think since you want to create persistence from the client side information (XFF/src address) adding it in the http request event would be enough.

    when HTTP_REQUEST { 
     if {[HTTP::header X-Forwarded-For] != ""} then {
    persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0]
        } else {
    persist uie [IP::client_addr]
    }
    }

  • Are you sure ? for me , You can only add persistence records to the table when the server is selected,

    so in the response, you add a record to the table and in the request, you readit

  • I 'll tried to implement it as you proposed and will keep you informed about the result

     

    Jacques

  • Hi F5rocks

     

    I implemented it, and it seems working as expected.

    thanks very much for your help

     

    Jacques

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous

      That's nice to hear. If you select this answer as best it would close this conversation. Thanks! ​