iRule TCL error - no such variable
Hey everyone!
I have a previous thread regarding an iRule used to exclude TLS 1.3 cipher suites and certain FQDNs and IP addresses. In that thread we managed to get the iRule fully functioning.
The complete iRule is posted in the comment below.
Now though, we are seeing the following in the LTM log:
err tmm[20996]: 01220001:3: TCL error: /SWG_Proxy/TLS_Exclusion_Clients_v2 - can't read "content": no such variable while executing "class match $content contains "DG_TLS_1_3_Hex_List""
I understand that the content variable, which is created by the following lines:
Exclude tls 1.3 ciphers
binary scan [TCP::payload] H300 content
is for some reason not present in some occasions. First I thought it was because we matched the IP address against the Datagroup list DG_SWG_SSL_Passthrough_Clients_IP in the following part:
if { [class match [IP::local_addr] equals DG_SWG_SSL_Passthrough_Clients_IP] } {
if {$static::tls_iR_debug and [IP::client_addr] equals $static::tls_iR_sourceIP}{log local0. "ir181017-1 - Client IP: {[IP::client_addr]} Server IP: {[IP::local_addr]} - Match DataGroup IP!!"}
If Destination IP address matches Data Group - turn off HTTP and SSL Profiles
} else {
Collect TCP DATA for SNI analysis in the CLIENT_DATA event
if {$static::tls_iR_debug and [IP::client_addr] equals $static::tls_iR_sourceIP}{log local0. "ir181017-2 - Client IP: {[IP::client_addr]} Server IP: {[IP::local_addr]} - No Match DataGroup IP"}
TCP::collect
Which should mean we do not run the TCP::collect command and this will cause the binary scan to fail? Or am I wrong about that?
I tried to replicate that by adding some IP addresses to the exclude list but the TCL error never shows. In fact, I have never been able to replicate the error message. I also tried to lower my SSL handshake down to SSLv3 but that did not trigger it either.
Do you guys have any idea?