- Out of bounds (line 1) - randomly in ltm log file

Question

Hey All, 
&nbsp;  
&nbsp; I am wondering if someone has any idea of what I am seeing in our logs after adding a new iRule to remove the X-Forwarded-For header and re-insert it. 
&nbsp;  
&nbsp; The error, which is generated at random: 
&nbsp;  
&nbsp; Aug 30 00:00:39 tmm5 err tmm5[11045]: 01220001:3: TCL error: /Common/shared/x_forwarded_for  - Out of bounds (line 1)     invoked from within "HTTP::header remove "X-Forwarded-For"" 
&nbsp; Aug 30 00:00:40 tmm err tmm[11040]: 01220001:3: TCL error: /Common/shared/x_forwarded_for  - Out of bounds (line 1)     invoked from within "HTTP::header remove "X-Forwarded-For"" 
&nbsp; Aug 30 00:00:48 tmm3 err tmm3[11043]: 01220001:3: TCL error: /Common/shared/x_forwarded_for  - Out of bounds (line 1)     invoked from within "HTTP::header remove "X-Forwarded-For"" 
&nbsp;  
&nbsp; The 'x_forwarded_for' iRule is the only iRule associated to the HTTP (80) virtual-server, and on the HTTPS (443) virtual-server there are two iRules in this order 1. 'https_proto_header', and 2. 'x_forwarded_for'. I have a feeling the error is getting generated by the HTTPS (443) virtual-servers but I am unsure. 
&nbsp;  
&nbsp; Below are the iRules: 
&nbsp;  
&nbsp; ltm rule https_proto_header { 
&nbsp;     when HTTP_REQUEST { 
&nbsp;             HTTP::header remove "X-Forwarded-Proto" 
&nbsp;             HTTP::header insert "X-Forwarded-Proto" "https" 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; ltm rule x_forwarded_for { 
&nbsp;     when HTTP_REQUEST { 
&nbsp;      HTTP::header remove "X-Forwarded-For" 
&nbsp;      HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Matt

hooleylist · Answer

Hi Matt, 
&nbsp;  
&nbsp; Do you have RAM cache or WAM enabled on either virtual server?  I think the error is due to a conflict with one of those two features. 
&nbsp;  
&nbsp; Aaron

mbyerly_59620 · Answer

No RAM cache or WAM.      
          
     Could it be some sort of issue between having 'XFF' enabled in the HTTP Profile as well as the iRule to scrub the HTTP header and re-insert it?     
          
     Here is a snippet of the virtual-servers (80 &amp; 443) as well as the HTTP Profile.     
          
     80/443 virtual-servers:

ltm virtual xxxx-production-xxxx-1.2.3.4-tcp-80-vs {  
      destination 1.2.3.4:http  
      ip-protocol tcp  
      mask 255.255.255.255  
      partition xxxx  
      pool xxxx-production-xxxx-pool  
      profiles {  
          /Common/shared/http-xxxx-optimized { }  
          /Common/shared/tcp-xxxx-optimized { }  
      }  
      rules {  
          /Common/shared/x_forwarded_for  
      }  
      snatpool /Common/shared/internal-snat  
      vlans-disabled  
  }  
  ltm virtual xxxx-production-xxxx-1.2.3.4-tcp-443-vs {  
      destination 1.2.3.4:https  
      ip-protocol tcp  
      mask 255.255.255.255  
      partition xxxx  
      pool xxxx-production-xxxx-pool  
      profiles {  
          /Common/shared/http-xxxx-optimized { }  
          /Common/shared/tcp-xxxx-optimized { }  
          wildcard.xxxx.bogus.com-clientssl {  
              context clientside  
          }  
      }  
      rules {  
          /Common/shared/https_proto_header  
          /Common/shared/x_forwarded_for  
      }  
      snatpool /Common/shared/internal-snat  
      vlans-disabled

ltm profile http http-xxxx-optimized { 
     adaptive-parsing enabled 
     app-service none 
     basic-auth-realm none 
     defaults-from /Common/http 
     description none 
     encrypt-cookie-secret none 
     encrypt-cookies none 
     fallback-host none 
     fallback-status-codes none 
     header-erase none 
     header-insert none 
     insert-xforwarded-for enabled 
     lws-separator none 
     lws-width 80 
     max-header-count 64 
     max-header-size 65536 
     max-requests 0 
     oneconnect-transformations disabled 
     partition Common 
     pipelining enabled 
     redirect-rewrite none 
     request-chunking preserve 
     response-chunking selective 
     response-headers-permitted none 
     security disabled 
     via-host-name none 
     via-request preserve 
     via-response preserve 
 }

hooleylist · Answer

I don't think there should be any conflict between the HTTP profile and iRule doing header insert/removals.  I did some quick searching but didn't see any related info internally.   
&nbsp;  
&nbsp; Could you open a case with F5 Support on this?  If you do, can you reply back with what you find out? 
&nbsp;  
&nbsp; Thanks, Aaron

mbyerly_59620 · Answer

Will do. 
&nbsp;  
&nbsp; Thanks Hoolio. 
&nbsp;  
&nbsp; Matt

Forum Discussion

<HTTP_REQUEST> - Out of bounds (line 1) - randomly in ltm log file

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

<http_request> - ERR_NOT_SUPPORTED (line 2) invoked from within "HTTP::query"</http_request>

<HTTP_REQUEST > abort for requests in F5

Remote looging : TCL error: /Common/irules_myirule <http_request> - Traffic rejected</http_request>

With Clouds Everywhere, It Is Bound to Rain

<HTTP_REQUEST> - ERR_BOUNDS (line 1) invoked from within "HTTP::path -normalized"