John_Klemm_4418
Oct 30, 2006Nimbostratus
Irule won't accept
01070585:3: Virtual server (XXX_REPEATERS_HTTP) cannot reference rule (_sys_auth_ssl_ocsp) more than once (check persistence, auth and rules).
Has anyone gotten this before?
Has anyone gotten this before?
This looks more like a VIP configuration issue than an iRule issue. Can you run 'b list' from the command line or the GUI's console page and post the VIP and relevant rule configuration?
Thanks,
Aaron
netmask 255.255.254.0
}
mgmt route default inet {
gateway xxx.xxx.32.1
}
interface 1.11 {
disable
}
interface 1.12 {
disable
}
interface 1.13 {
disable
}
interface 1.14 {
disable
}
interface 1.15 {
disable
}
interface 2.1 {
disable
}
interface 2.2 {
disable
}
vlan Internal_Vlan {
tag 4093
interfaces 1.1 1.10 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9
}
vlan External_Vlan {
tag 4094
interfaces 1.16
}
vlangroup Bridge_Group {
tag 4092
member External_Vlan Internal_Vlan
}
stp {
}
stp instance 0 {
vlan External_Vlan
vlan Internal_Vlan
interface 1.1 external path cost 200000 internal path cost 200000
interface 1.10 external path cost 200000 internal path cost 200000
interface 1.16 external path cost 200000 internal path cost 200000
interface 1.2 external path cost 200000 internal path cost 200000
interface 1.3 external path cost 200000 internal path cost 200000
interface 1.4 external path cost 200000 internal path cost 200000
interface 1.5 external path cost 200000 internal path cost 200000
interface 1.6 external path cost 200000 internal path cost 200000
interface 1.7 external path cost 200000 internal path cost 200000
interface 1.8 external path cost 200000 internal path cost 200000
interface 1.9 external path cost 200000 internal path cost 200000
}
self allow { default tcp ssh tcp domain tcp https tcp snmp tcp 4353 udp domain udp snmp udp efs udp 4353 proto ospf }
self xxx.xxx.145.17 {
netmask 255.255.255.0
vlan Bridge_Group
allow default
}
I just installed the Authentication module and cannot seem to get the irule to attach to the VIP. Like I said before the error points me back to authorization or persistence. Any help is welcomed. This VIP is for OCSP responders. I just cannot get the rule to attach.
Here is the irule very generic:
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
}
when CLIENTSSL_CLIENTCERT {
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
route default inet {
gateway xxx.xxx.145.1
}
node * monitor icmp
ocsp responder my_ocsp_responders_ {
url "ocsp.my.mil"
}
auth ssl ocsp ocsp_responders {
responder my_ocsp_responders_
}
profile auth ssl_ocsp {
config ocsp_responders
type ssl ocsp
mode enable
credential source http basic auth
rule _sys_auth_ssl_ocsp
idle timeout 300
}
pool my_REPEATERS_POOL {
monitor all http
member xxx.xxx.145.246:http
member xxx.xxx.145.247:http
member xxx.xxx.145.248:http
member xxx.xxx.145.249:http
}
pool my.mil_pool {
monitor all min 1 of http gateway_icmp
member xxx.xxx.145.30:http
member xxx.xxx.145.31:http
}
rule redirect_rule {
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
virtual address xxx.xxx.145.246 {
}
virtual my_REPEATERS_HTTP {
destination xxx.xxx.145.240:http
ip protocol tcp
profile clientssl http tcp
auth ssl_ocsp
pool my_REPEATERS_POOL
}
virtual vs_my.mil {
destination xxx.xxx.145.29:http
ip protocol tcp
pool my.mil_pool
}
The ssl_ocsp authentication profile already references the _sys_auth_ssl_ocsp rule. So once you add the auth profile to the VIP, you shouldn't need to (and in fact you can't) add the same rule to the VIP.
If you're having problems with the rule, try posting again. If you're having problems with the authentication, you might want to contact support.
Aaron