Forum Discussion

Rene_Bader_1308's avatar
Rene_Bader_1308
Icon for Nimbostratus rankNimbostratus
Jul 24, 2014

Issue with LTM profile http after upgrade to 11.5.1HF3

All,

 

after upgrading to TMOS 11.5.1 HF3 we're facing a lot of error messages like:

 

HTTP profile option passthrough.oversize_server_headers incompatible with proxy_type. (and)

 

http_process_state_prepend - Invalid action:0x109010 (Server side: vip=/Common/virtual_server profile=http pool=/Common/Pool_virtualserver server_ip=x.x.x.x) in the LTM logs.

 

In addition I have the problem that connections (in this case we're load balancing two proxy servers) where droped, but only if they are SSL connections requiring user authentication on the proxy servers.

 

Standard http session with/without authentication and SSL connections without authentication work like expected.

 

I already started to ingrease the max. HTTP header size but that didn't helped.

 

At the end I had to remove the profile from the virtual server and everything is up and running now.

 

For the system:

 

We're only using LTM.

 

The LTM profile is:

 

ltm profile http /Common/http_proxy_xff {

 

app-service none

 

defaults-from /Common/http

 

enforcement {

 

max-header-size 35000

 

unknown-method allow

 

}

 

insert-xforwarded-for enabled

 

proxy-type reverse

 

}

 

How can I fix this issue as we would need the profile, esp. the XFF settings?

 

Thanks

 

René

 

14 Replies

  • I did put your HTTP profile on a 11.5.0 VE that I had and was not able to replicate your issue, so something associated with your traffic profile on that virtual could be the issue.

     

    Try turning off the some of the features in the HTTP profile you have modified from defaults and see which one is triggering the issue. It would seem by the error that max-header-size might be it. You may need to raise a F5 Support case if you have a valid maintenance contract.

     

  • Even when using the default http profile the error occures.

     

    I disabled now the http profile and will open a support ticket.

     

    Thanks.

     

  • After upgrade to 11.5, I have a lot of http profile error messages on my old systems. This seems to be a upgrade problem, because I don't have this with my new systems with a fresh configuration.

     

    I noticed problems with irules, too.

     

    i.e. small changes are not activated and the old irule is still running. So, I will reset the old systems. But I have some new one.

     

  • We're having exactly the same issue. Upgrade from 10.2.2 to 11.5.1 HF4, VIP with HTTP profile for loadbalancing forward proxy servers. Same error, same workaround (remove http profile) to mitigate the problem. We will open a F5 Support case for this, too.
  • The forward proxy authentication issue is Known Issue ID 451319. Check out this HP forum post:

     

    http://h10025.www1.hp.com/ewfrf/wc/document?docname=c04401463&cc=us&dlc=en&lc=en

     

    Working with F5 the following was reported : This issue has been reported in ID451319 (HTTP CONNECT request with 4xx response with body results in RST) for which a workaround has been provided. The fix should be in a 11.4.1 standard hotfix but I am not sure when the standard hotfix will be available. Since there is a workaround then the choice will be wait for the HotFix or apply the workaround. * Please note that some of the client requests are broken as they don't comply to RFC7231. F5 suspect failure for the clients to connect is due to the malformed host headers. All requests which are HTTP/1.0 are failing while those which are HTTP/1.1 are working. The host headers which are broken do not have a port number at the end. See extract from RFC below. http://tools.ietf.org/html/rfc7231section-4.3.6 4.3.6. CONNECT A client sending a CONNECT request MUST send the authority form of request-target (Section 5.3 of [RFC7230]); i.e., the request-target consists of only the host name and port number of the tunnel destination, separated by a colon. For example, CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 http://tools.ietf.org/html/rfc7230section-6.3 6.3. Persistence A proxy server MUST NOT maintain a persistent connection with an HTTP/1.0 client (see Section 19.7.1 of [RFC2068] for information and discussion of the problems with the Keep-Alive header field implemented by many HTTP/1.0 clients).

     

    WORKAROUND : While Engineering Services work on the HotFix, to avoid the connections getting reset when clients use the CONNECT method you could apply an iRule to disable HTTP on CONNECT for now: when HTTP_REQUEST { if { [HTTP::method] equals "CONNECT" }{ HTTP::disable } }

     

  • Hi,

     

    I have the same problem with http profile. I upgraded from 11.4.1 to 11.5.1 HF7 I get the following logs: "Jan 20 15:12:10 LB-INT02 warning tmm1[9710]: 011f0012:4: HTTP profile option passthrough.excess_server_headers incompatible with proxy_type. Using default instead. Jan 20 15:12:10 LB-INT02 warning tmm[9710]: 011f0012:4: HTTP profile option passthrough.excess_server_headers incompatible with proxy_type. Using default instead." even if I create new http profile with parent profile http. The new profile is with default configuration. When I assign the profile to a virtual server I got the following errors: "Jan 20 15:12:10 LB-INT02 warning tmm1[9710]: 011f0012:4: HTTP profile option passthrough.excess_server_headers incompatible with proxy_type. Using default instead. Jan 20 15:12:10 LB-INT02 warning tmm[9710]: 011f0012:4: HTTP profile option passthrough.excess_server_headers incompatible with proxy_type. Using default instead."

     

    ltm profile http http-XFF { app-service none defaults-from http proxy-type reverse }

     

    ltm virtual Vega-Farm { description XXXX destination X.X.X.X:http ip-protocol tcp mask 255.255.255.255 pool Vega-pool profiles { http-XFF { } tcp { } } rules { allow_specific_IP_traffic } source 0.0.0.0/0 source-address-translation { pool vega-snat-pool type snat } vlans { Vlan_150 } vlans-enabled vs-index 106 }

     

  • Hi,

     

    I had the same issue. There is a bug on it but from some reason it didn't published. bug id 446887. The workaround is: tmsh modify sys db log.http.level value Error

     

    Regards,

     

    • Michael_Voight_'s avatar
      Michael_Voight_
      Historic F5 Account
      That only stops the error message in the log. It doesn't fix the issue.
    • Michael_Voight_'s avatar
      Michael_Voight_
      Historic F5 Account
      That only stops the error message in the log. It doesn't fix the issue.
    • InnO's avatar
      InnO
      Icon for Nimbostratus rankNimbostratus

      "It will be solved in 12.x"

       

      Well, I am in 12.1 and I still have the issue with one of my apps... Had to disable the http profile to make things work.

       

      Thanks, Pascal.

       

  • Well, everything seems to be resolved in v12, I hope it will be a good release this time ;-)