iRules Blocking Traffic

Question

I have an iRule that is suppose to only change an idle timer on certain traffic. However, when I enable it is seems to only allow the traffic defined the the iRule and no other connections can be made. Any help would be appreciated. Here is the Irule:&nbsp;
when HTTP_REQUEST {
if { [IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149] and ([HTTP::uri] equals "soaprod.corp.unifirst.com") }  { log local0. "original timeout: [IP::idle_timeout]"
IP::idle_timeout 10800
log local0. "updated timeout: [IP::idle_timeout]"
set serverside_idle_timeout 1
}
}
when SERVER_CONNECTED {
log local0. "original timeout: [IP::idle_timeout]"
if {$serverside_idle_timeout} {
IP::idle_timeout 10800
log local0. "updated timeout: [IP::idle_timeout]"
}
}&nbsp;

stanislas_piro2 · Answer

Hi,
the condition ([HTTP::uri] equals "soaprod.corp.unifirst.com") is wrong...
it must be ([HTTP::host] equals "soaprod.corp.unifirst.com")
do not create condition like : 
a or b and c

but 
(a or b) and c

kai_wilke · Answer

Hi UniFirst,&nbsp;
your iRule is almost identical with the provided example of: https://devcentral.f5.com/wiki/iRules.IP__idle_timeout.ashx&nbsp;
Stanislav already told you how to combine AND &amp; OR operators to chain multiple conditions in a single [if].&nbsp;
The connection reset you're experiencing may occour because the variable $serverside_idle_timeout is not alway set and therefor may break your connection. The provided example contains an additional [info exist] error handle within SERVER_CONNECTED event to check if the variable $serverside_idle_timeout is set right before accessing it. &nbsp;
Cheers, Kai&nbsp;

stanislas_piro2 · Answer

You did not set the serverside_idle_timeout to 0 as default value...
so it raise a tcl error...
2 solutions:
when HTTP_REQUEST {
    set serverside_idle_timeout 0
    if { ([IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149]) and ([HTTP::host] equals "soaprod.corp.unifirst.com") }  { log local0. "original timeout: [IP::idle_timeout]"
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
        set serverside_idle_timeout 1
    }
}
when SERVER_CONNECTED {
    log local0. "original timeout: [IP::idle_timeout]"
    if {$serverside_idle_timeout} {
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
    }
}

or
when HTTP_REQUEST {
    if { ([IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149]) and ([HTTP::host] equals "soaprod.corp.unifirst.com") }  { log local0. "original timeout: [IP::idle_timeout]"
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
        set serverside_idle_timeout 1
    }
}
when SERVER_CONNECTED {
    log local0. "original timeout: [IP::idle_timeout]"
    if {([info exists serverside_idle_timeout]) &amp;&amp; ($serverside_idle_timeout)} {
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
    }
}

unifirst1_22521 · Answer

Thank you all. I set an If info and all is good now. Thanks again to all.&nbsp;

Forum Discussion

iRules Blocking Traffic

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Block traffic

MS Exchange ProxyNotShell block implemented via iRules

iRule to log traffic details

TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature

Getting Started with iRules: Directing Traffic