Irule won't accept

Hi John,

 

 

This looks more like a VIP configuration issue than an iRule issue. Can you run 'b list' from the command line or the GUI's console page and post the VIP and relevant rule configuration?

 

 

Thanks,

 

Aaron

mgmt xxx.xxx.33.174 {

 

netmask 255.255.254.0

 

}

 

mgmt route default inet {

 

gateway xxx.xxx.32.1

 

}

 

interface 1.11 {

 

disable

 

}

 

interface 1.12 {

 

disable

 

}

 

interface 1.13 {

 

disable

 

}

 

interface 1.14 {

 

disable

 

}

 

interface 1.15 {

 

disable

 

}

 

interface 2.1 {

 

disable

 

}

 

interface 2.2 {

 

disable

 

}

 

vlan Internal_Vlan {

 

tag 4093

 

interfaces 1.1 1.10 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9

 

}

 

vlan External_Vlan {

 

tag 4094

 

interfaces 1.16

 

}

 

vlangroup Bridge_Group {

 

tag 4092

 

member External_Vlan Internal_Vlan

 

}

 

stp {

 

}

 

stp instance 0 {

 

vlan External_Vlan

 

vlan Internal_Vlan

 

interface 1.1 external path cost 200000 internal path cost 200000

 

interface 1.10 external path cost 200000 internal path cost 200000

 

interface 1.16 external path cost 200000 internal path cost 200000

 

interface 1.2 external path cost 200000 internal path cost 200000

 

interface 1.3 external path cost 200000 internal path cost 200000

 

interface 1.4 external path cost 200000 internal path cost 200000

 

interface 1.5 external path cost 200000 internal path cost 200000

 

interface 1.6 external path cost 200000 internal path cost 200000

 

interface 1.7 external path cost 200000 internal path cost 200000

 

interface 1.8 external path cost 200000 internal path cost 200000

 

interface 1.9 external path cost 200000 internal path cost 200000

 

}

 

self allow { default tcp ssh tcp domain tcp https tcp snmp tcp 4353 udp domain udp snmp udp efs udp 4353 proto ospf }

 

self xxx.xxx.145.17 {

 

netmask 255.255.255.0

 

vlan Bridge_Group

 

allow default

 

}

 

 

 

I just installed the Authentication module and cannot seem to get the irule to attach to the VIP. Like I said before the error points me back to authorization or persistence. Any help is welcomed. This VIP is for OCSP responders. I just cannot get the rule to attach.

 

 

Here is the irule very generic:

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

when CLIENTSSL_CLIENTCERT {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

SSL::handshake hold

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

 

here is the rest of the conig. The repeaters pool is the one in reference to the IRULE

 

 

 

route default inet {

 

gateway xxx.xxx.145.1

 

}

 

node * monitor icmp

 

ocsp responder my_ocsp_responders_ {

 

url "ocsp.my.mil"

 

}

 

auth ssl ocsp ocsp_responders {

 

responder my_ocsp_responders_

 

}

 

profile auth ssl_ocsp {

 

config ocsp_responders

 

type ssl ocsp

 

mode enable

 

credential source http basic auth

 

rule _sys_auth_ssl_ocsp

 

idle timeout 300

 

}

 

pool my_REPEATERS_POOL {

 

monitor all http

 

member xxx.xxx.145.246:http

 

member xxx.xxx.145.247:http

 

member xxx.xxx.145.248:http

 

member xxx.xxx.145.249:http

 

}

 

 

 

pool my.mil_pool {

 

monitor all min 1 of http gateway_icmp

 

member xxx.xxx.145.30:http

 

member xxx.xxx.145.31:http

 

}

 

rule redirect_rule {

 

when HTTP_REQUEST {

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

}

 

}

 

virtual address xxx.xxx.145.246 {

 

}

 

virtual my_REPEATERS_HTTP {

 

destination xxx.xxx.145.240:http

 

ip protocol tcp

 

profile clientssl http tcp

 

auth ssl_ocsp

 

pool my_REPEATERS_POOL

 

}

 

virtual vs_my.mil {

 

destination xxx.xxx.145.29:http

 

ip protocol tcp

 

pool my.mil_pool

 

}

 

Hi,

 

 

The ssl_ocsp authentication profile already references the _sys_auth_ssl_ocsp rule. So once you add the auth profile to the VIP, you shouldn't need to (and in fact you can't) add the same rule to the VIP.

 

 

If you're having problems with the rule, try posting again. If you're having problems with the authentication, you might want to contact support.

 

 

Aaron