Forum Discussion

noje_224243's avatar
noje_224243
Icon for Nimbostratus rankNimbostratus
Apr 04, 2016
Solved

iRule rejects connections but there is no reject command

Hi all, We have a VS with several SSL sites. There is an iRule which looks like: when SERVER_CONNECTED { if { $doSSL == 1 }{ SSL::profile Server-profile1 } elseif { $doS...
devops
iRules
LTM
  • Vernon_97235's avatar
    Vernon_97235
    Apr 05, 2016

    Add a logging statement to the SERVER_CONNECTED event before the 

    if
    command to determine whether the exception is being raised from there. If so, place it in the 
    elseif
    clause before and after the 
    SSL::profile
    command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.

    Incidentally, in the SERVER_CONNECTED you can also use a 

    switch
    :

    when SERVER_CONNECTED {
    log local0. "-- In SERVER_CONNECTED --"
    switch $doSSL {
        "1" { SSL::profile Server-profile1 }
        "2" { SSL::profile Server-profile2 }
        ...
        "9" {
            log local0. "  -- doSSL == 9 --"
            SSL:profile Server-profile9
            log local0. "  -- after SSL::profile --"
        }
    }
}
Vernon_97235's avatar
Vernon_97235
Historic F5 Account
Apr 05, 2016

Add a logging statement to the SERVER_CONNECTED event before the 

if
command to determine whether the exception is being raised from there. If so, place it in the 
elseif
clause before and after the 
SSL::profile
command the determine whether that is the cause. I suspect that BIG-IP doesn't want to connect the profile for one reason or another.

Incidentally, in the SERVER_CONNECTED you can also use a 

switch
:

when SERVER_CONNECTED {
    log local0. "-- In SERVER_CONNECTED --"
    switch $doSSL {
        "1" { SSL::profile Server-profile1 }
        "2" { SSL::profile Server-profile2 }
        ...
        "9" {
            log local0. "  -- doSSL == 9 --"
            SSL:profile Server-profile9
            log local0. "  -- after SSL::profile --"
        }
    }
}
  • noje_224243's avatar
    noje_224243
    Icon for Nimbostratus rankNimbostratus
    Apr 05, 2016
    This was strange... I tried your log lines and nothing got logged, even for working sites. That made me think if the iRule was correctly updated in the config or not. I checked bigip.conf and everything was OK. So I made a copy of the iRule and replaced it in the VS. Now everything is working and logged. I really don't know what happened here, but something was wrong with that iRule internally. BTW thanks for the switch suggestion, it was on my To-Do list :-)