Jgawrych_43121
Nimbostratus
NimbostratusTCP reset when Multple irules applied
Hi all,
Here's my scenario. I have two functional requirements below.
1) if we enable a maintenance window by disabling all nodes in a pool or if all nodes in the pool are down for whatever reason, redirect end user browser to our maintenace site. (irule_MaintenancePageOnAllNodeFailure )
2) On a HTTP VServer, redirect all traffic to HTTPS (irule_HTTPtoHTTPsRedirect)
I have two I rules written for this (see below) and when I apply them individually and test they work perferectly as expected.
My problem is when I have both rules applied (irule_MaintenancePageOnAllNodeFailure is applied first and irule_HTTPtoHTTPsRedirect is second in the vertual server) AND I then disable all the nodes in the pool (going into maintenance period). What I'm expecting to have happen is for the end user browser to be redirected to my maintenance page.
What ends up happening is that the end user browser immediately comes back with 'The page cannot be displayed' in Internet Explored and 'The connection was reset' in Firefox.
I put a packet sniffer on this to finally figure out what was going on. Looking at the packet trace, the LTM does send a redirect to the browser client but also immediately sends a TCP reset to the browser client.
Also, Looking in the LTM logs I get the below error, which only shows up when I have the above scenario:
Fri Mar 28 12:12:57 PDT 2008 tmm tmm[929] 01220001 TCL error: Rule irule_HTTPtoHTTPsRedirect HTTP_REQUEST - Operation not supported. Multiple redirect/respond invocations not allowed line 1 invoked from within HTTP::respond 301 Location https://[getfield [HTTP::host] : 1][HTTP::uri]
Looking at the browser behavior, it looks like the browser reacts to the TCP reset and never attempts to process HTTP redirect and open a HTTP session to my maintenace page. So I need to figure out a way to meet my functional requirements without the LTM sending a TCP reset as part of the communications.
Looking at the LTM, it looks like in my particular test scenario the LTM is unhappy about something. (especially looking at the error in the LTM log). It appears to be processing the redirect, but then chokes when hitting the redirect to SSL irule.
- Can anyone offer any suggestions?
- Do I need to moodify my irules? Add an addional check in the rules? (I'm trying to leave them as generic as possible to allow reuse across multiple Vservers)
- Do I have a logic error in how I have the rules applied, or possibly I'm not understanding the processing logic for when multiple irules are in place?
Thanks in advance!
-John G
irule_MaintenancePageOnAllNodeFailure
Generic iRule to redirect all traffic when all nodes in a pool are down/disabled.
when HTTP_REQUEST {
if {[active_members [LB::server pool]] == 0} {
HTTP::redirect "http://maintenance.sitename.com/"
}
}
irule_HTTPtoHTTPsRedirect
Generic rule to redirect all traffic from HTTP to HTTPS.
Takes into account HOST & URI::basename
Taken from:
http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPToHTTPSRedirect_301.html
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[getfield [HTTP::host] : 1][HTTP::uri]"
}
