Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Nov 04, 2014

HTTP::connect causing RST

After upgrading to v11.4.1 HF3 we are now seeing symptoms similar to the following:

http://h10025.www1.hp.com/ewfrf/wc/document?docname=c04401463&cc=us&dlc=en&lc=en

and it is a known bug:

ID451319 (HTTP CONNECT request with 4xx response with body results in RST) 

This is fine in so much as traffic is working but now x-forwarded-for is not working for HTTPS traffic. I suspect this is due to the fact that the iRule does HTTP:disable and therefore the HTTP profile is rendered useless.

I have tried creating an iRule to insert x-forwarded-for again but this doesn't make any differnce:

    when HTTP_REQUEST {
        HTTP::header insert X-forwarded-for [IP::client_addr] 
    }

I have also created an iRule to drop 407 connections on HTTP::response:

when HTTP_RESPONSE {
     switch -glob [HTTP::status] { 
    "407" {
        HTTP::disable
          }
        }
    }

But i still can't see IP address of clients on our proxy.

VIP config is:

   ltm virtual /S1WGEL/VS_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP {
destination /S1WGEL/yyy.yyy.yyy.yyy:8080
ip-protocol tcp
mask 255.255.255.255
persist {
    /S1WGEL/PROFILE_S1WG_USER01_EXTERNAL_LIVE_SOURCEADDRESS {
        default yes
    }
}
pool /S1WGEL/POOL_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP
profiles {
    /Common/tcp { }
    /S1WGEL/PROFILE_S1WG_USER01_EXTERNAL_LIVE_HTTP { }
}
rules {
    /S1WGEL/irule-connect
}
security-log-profiles {
    /S1WGEL/remote_splunk_logging
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled

Pool config:

    ltm pool /S1WGEL/POOL_S1WG_USER01_EXTERNAL_LIVE_PROXYHTTP {
load-balancing-mode predictive-member
members {
    /S1WGEL/xxx.xxxx.xxxx.xxxx:8080 {
        address xxxx.xxxx.xxxx.xxx
    }
    /S1WGEL/xxx.xxx.xxx.xxx:8080 {
        address xxx.xxx.xxx.xxxx
    }
}

We have rised a case with F5 and obviously this is fixed in version 11.6.0 but has anyone go tany ideas how we can get Client IP address sent to proxy?

8 Replies

  • Nitass - F5 are working on HotFix but i was hoping to get a a quick workaround.
  • i mean engineering hotfix (not cumulative/rollup hotfix). i think it exists and Support may be able to provide you. by the way, can you post the irule-connect irule? is it something like this? when HTTP_REQUEST { HTTP::header insert X-forwarded-for [IP::client_addr] if { [HTTP::method] equals "CONNECT" } { HTTP::disable } }
  • Nitass - it is an egineering hotfix i think they are working on. The iRule i tried was: when HTTP_REQUEST { if { [HTTP::method] equals "CONNECT" }{ HTTP::disable } } I did also create one exactly like the one you posted. That still didnt work.
  • i do see X-forwarded-for header in my lab. configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:8080 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 3 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.1:3128 { address 172.28.24.1 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]" HTTP::header insert X-forwarded-for [IP::client_addr] if { [HTTP::method] equals "CONNECT" } { HTTP::disable } } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]" } } log [root@ve11a:Active:In Sync] config tail /var/log/ltm Nov 4 09:38:17 ve11a notice tmm[14741]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:38756 Nov 4 09:38:17 ve11a notice tmm1[14741]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:38756 Nov 4 09:38:24 ve11a info tmm1[14741]: Rule /Common/qux : 192.168.207.28:58515 Nov 4 09:38:24 ve11a info tmm[14741]: Rule /Common/qux : 192.168.207.28:58516 Nov 4 09:38:27 ve11a notice tmm[14741]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:38756 Nov 4 09:38:27 ve11a notice tmm1[14741]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:38756 trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 8080 or port 3128 New TCP connection 1: 192.168.207.28(58515) <-> 172.28.24.10(8080) 1415122704.4962 (0.0047) C>S --------------------------------------------------------------- CONNECT www.google.com.sg:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; .NET4.0E) Proxy-Connection: Keep-Alive Content-Length: 0 Host: www.google.com.sg Pragma: no-cache --------------------------------------------------------------- New TCP connection 2: 172.28.24.14(58515) <-> 172.28.24.1(3128) 1415122704.4976 (0.0012) C>S --------------------------------------------------------------- CONNECT www.google.com.sg:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; .NET4.0E) Proxy-Connection: Keep-Alive Content-Length: 0 Host: www.google.com.sg Pragma: no-cache X-forwarded-for: 192.168.207.28 --------------------------------------------------------------- by the way, i do not see you requested engineering hotfix in C1687799. if i am not wrong, there are existing engineering hotfix on top of 11.4.1 hf3 and 11.4.1 hf4. you may check with support engineer. it may be faster than troubleshooting (X-forwarded-for).
    • LyonsG_85618's avatar
      LyonsG_85618
      Icon for Cirrostratus rankCirrostratus
      Thanks. It's not an apache server. Its a McCaffee device.
  • Thanks Nitass. Is C1687799 the F5 refernce? (i go via 3rd party so don't normally see this). I was aware there were other HotFixes available but my understanding is that ID451319 is only fixed in 11.6.0? I'll do some more testing on thsio and feed back today. p.s. apologies for not responding yesterday - we had serious incident and i was in office for 22 hours!