Can't read cookie on F5 terminated SSL?

OK, after more examination that's not my problem. it is successfully reading the cookie. But I'm not sure what my problem is? Here's what I'm doing:

 

 

I'm using a custom cookie to do persistence override so our developers can do troubleshooting through the F5. This works well, but only when using http. When using https I get "Internet Explorer cannot display the webpage". I'm stuck.

The page cannot be displayed error is generally caused by a TCP reset being sent to the client. Do you see a TCL runtime error in /var/log/ltm? Can you post the iRule you're using? Have you added a client SSL and HTTP profile to the HTTPS virtual server?

 

 

Aaron

I don't see any errors in the LTM log. The SSL and HTTP profiles are there and working. I can connect and browse the site successfullly when I let the load balancer select where to send my connection. The problem only comes when I try to override persistence and select where I want my connections to go. When I do that, it works fine with http. When I try https I don't even get the log entry that I've set in the irule to indicate an http response.

 

I've pasted my irule below. I have other things in there as well, but for completeness I thought I had better post the entire thing.

 

when HTTP_REQUEST {

 

sets the timer to return client to host URL

 

set sectime 60

 

Use the Host header value for the responses if it's set. If not, use the VIP address.

 

if {[string length [HTTP::host]]}{

 

set host [HTTP::host]

 

set errhost1 [HTTP::host]

 

set errhost2 [HTTP::host]

 

} else {

 

set host [IP::local_addr]

 

set errhost1 "site"

 

set errhost2 "the site"

 

}

 

switch [HTTP::uri] {

 

"/maintenance" {

 

if { [active_members [LB::server pool] ] > 0 } {

 

HTTP::redirect http://$host

 

}

 

else { HTTP::respond 503 content "Maintenance page content=$sectime;url=http://$host>\

 

 

503 - Service temporarily unavailable

\

 

 

We are performing routine maintenance designed to improve your $errhost1 experience. \

 

We will have $errhost2 up again as soon as possible.

 

\

 

You will be automatically redirected to $errhost2 when it becomes available.

 

" "Content-Type" "text/html"

 

return

 

}

 

return

 

}

 

"/" {HTTP::redirect "http://$host"

 

log "Redirect /"

 

return

 

}

 

default {

 

If the pool is down, redirect to the maintenance page

 

if { [active_members [LB::server pool] ] == 0 } {

 

log "Server pool 0 active members"

 

HTTP::respond 200 content \

 

"

 

 

"}

 

}

 

}

 

log "server pool value:[LB::server pool]"

 

log "active members:[active_members [LB::server pool] ]"

 

if { [HTTP::cookie exists "F5NODEPERSIST"]} {

 

log "cookie F5NODEPERSIST value [HTTP::cookie F5NODEPERSIST]"

 

node [HTTP::cookie F5NODEPERSIST]

 

}

 

if {[HTTP::uri] contains "/F5SERVERSELECT"} {

 

set backendip [getfield [HTTP::uri] "&" 2]

 

set backendip [getfield $backendip "/" 1]

 

log "cookie persistence set"

 

HTTP::respond 200 content "Persistence cookie set until browser is closed or cookies are cleared" "Set-Cookie" "F5NODEPERSIST=$backendip; path=/"

 

return

 

}

 

if { [TCP::local_port] == 80} {

 

HTTP::redirect https://$host[HTTP::uri]

 

return

 

}

 

}

 

when HTTP_RESPONSE {

 

log "HTTP response sent"

 

HTTP::header insert SOURCE_ADDRESS [IP::server_addr]

 

}

Can you also post the ltm log from a failure?

 

 

Thanks,

 

Aaron

There isn't anything in the log to indicate a failure. The only thing that appears in the LTM log is the log entries that I've explicitly put in the irule. Except for the last one in the HTTP_RESPONSE. That one never appears.

Let me restate that... there isn't anything appearing in the LTM log at all, except from the log entries in the irule.

I'm just having a hard time following the exact failure scenario. It would help to see the ltm logs to see what statements in the rule are being hit. Could you also add a log statement with the client IP:port and the requested URI at the beginning of the HTTP_REQUEST event?

 

 

It looks like you're just using the node command with an IP address. I think the port used would be the TCP port the client made the request to. If you hardcode the node port to 80 (or whatever the pool members are listening on), does it work?

 

 

Aaron

Also, if the client is including the node IP and port in the query string as a parameter value, you could get the value using [URI::query [HTTP::uri] "param_name"] where param_name is the name of the parameter. If you want to get the query string, you can use HTTP::query (Click here).

 

 

Aaron

OK, I put these log statements right under http_request event:

 

log "server pool value:[LB::server pool]"

 

log "client IP port:[TCP::local_port]"

 

log "active members:[active_members [LB::server pool] ]"

 

log "URI:[HTTP::uri]"

 

 

Here's the log it produced:

 

 

Aug 5 11:22:13 tmm tmm[1086]: 01220002:6: Rule RedirectTest : server pool value:Kronos-PTA

 

Aug 5 11:22:13 tmm tmm[1086]: 01220002:6: Rule RedirectTest : client IP port:443

 

Aug 5 11:22:13 tmm tmm[1086]: 01220002:6: Rule RedirectTest : active members:2

 

Aug 5 11:22:13 tmm tmm[1086]: 01220002:6: Rule RedirectTest : URI:/wfc/logon

 

Aug 5 11:22:13 tmm tmm[1086]: 01220002:6: Rule RedirectTest : cookie F5NODEPERSIST value 192.168.13.72

 

 

Thanks for your help Aaron.

I added several more logging statements scattered through the rest of the irule to see how far down in the http_request event it was getting, and it seems to be stopping processing of the irule in different places, but always in the first few lines of the http_request event. I'm lost... why would it stop processing the event part way through?