LyonsG_85618
Nov 04, 2014Cirrostratus
HTTP::connect causing RST
After upgrading to v11.4.1 HF3 we are now seeing symptoms similar to the following:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c04401463&cc=us&dlc=en&lc=en
and it is a known bug:
ID451319 (HTTP CONNECT request with 4xx response with body results in RST)
This is fine in so much as traffic is working but now x-forwarded-for is not working for HTTPS traffic. I suspect this is due to the fact that the iRule does HTTP:disable and therefore the HTTP profile is rendered useless.
I have tried creating an iRule to insert x-forwarded-for again but this doesn't make any differnce:
when HTTP_REQUEST {
HTTP::header insert X-forwarded-for [IP::client_addr]
}
I have also created an iRule to drop 407 connections on HTTP::response:
when HTTP_RESPONSE {
switch -glob [HTTP::status] {
"407" {
HTTP::disable
}
}
}
But i still can't see IP address of clients on our proxy.
VIP config is:
ltm virtual /S1WGEL/VS_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP {
destination /S1WGEL/yyy.yyy.yyy.yyy:8080
ip-protocol tcp
mask 255.255.255.255
persist {
/S1WGEL/PROFILE_S1WG_USER01_EXTERNAL_LIVE_SOURCEADDRESS {
default yes
}
}
pool /S1WGEL/POOL_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP
profiles {
/Common/tcp { }
/S1WGEL/PROFILE_S1WG_USER01_EXTERNAL_LIVE_HTTP { }
}
rules {
/S1WGEL/irule-connect
}
security-log-profiles {
/S1WGEL/remote_splunk_logging
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
Pool config:
ltm pool /S1WGEL/POOL_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP {
load-balancing-mode predictive-member
members {
/S1WGEL/xxx.xxxx.xxxx.xxxx:8080 {
address xxxx.xxxx.xxxx.xxx
}
/S1WGEL/xxx.xxx.xxx.xxx:8080 {
address xxx.xxx.xxx.xxxx
}
}
We have rised a case with F5 and obviously this is fixed in version 11.6.0 but has anyone go tany ideas how we can get Client IP address sent to proxy?