Cookie insert troubles

Question

I am trying to do cookie-insert persistence along with an iRule that sets the domain value for the cookie. Whenever I have all of the parts together on the virtual server (http profile, cookie persistence profile, iRule) I just get resets. I don't even get through to the site however if I strip all of these off I get to the site just fine. No combination of one or more of these settings work.

Not sure what is going on. Here is the code in the iRule I am using.

when HTTP_RESPONSE {

    Check if the persistence cookie exists in the response
   if {[HTTP::cookie exists "MS-WSMAN"]} {
       set the domain attribute on the persistence cookie
      HTTP::cookie domain "MS-WSMAN" "domain"
   }
}

Check if the persistence cookie exists in the response
   if {[HTTP::cookie exists "MS-WSMAN"]} {
       set the domain attribute on the persistence cookie
      HTTP::cookie domain "MS-WSMAN" "domain"
   }
}

chris_grant · Answer

Do you have an http profile on your virtual server?  You must have an HTTP profile to use an HTTP irule.  Also, if you take a packet capture with full noise, what is the listed reason for the resets?  It will be visible in wireshark as a plain text addendum to the packet.  To take a full noise capture:
tcpdump -s0 -i :nnn -w /var/tmp/.pcap
Note: edited to restore the formatting of the suggested capture string

stanislas_piro2 · Answer

Hi,&nbsp;
If you have tcp resets because of this irule, you may have tcl errors in /var/log/ltm file.&nbsp;

mbkosiba_310067 · Answer

Yeah I have the http profile on. I'm taking a look at running this capture now. I found that I only need the cookie insert persistence profile on with the name of the cookie I need and it inserts as desired so the iRule doesn't seem to be needed. I can get this working fine on port 80 but with port 443 I'm seeing the resets. I have the service certificate but it is looking like there is an issue with the certificate. I can take every setting off including the certificate making it a very plan VS - the site comes up but if I simply add the cert which is simple to do I'm getting resets.

chris_grant · Answer

I assume you are creating a new virtual server on port 443 with the certs?  If you are just adding the cert, then you would need to test with an explicit port (since the virtual server will be listening on port 80):
https://..:80/

mbkosiba_310067 · Answer

Yeah I have a VS for ports 80 and 443 however what I am seeing is this. If I put the cert for the application via an SSL profile on and the generic SSLServer profile on, connections get reset immediately. If I do the same thing but instead put the server-ssl-insecurecompatible profile on in place of the generic SSLServer profile on then all works fine. Taking a packet capture seems to suggest that between the client and the VS, traffic get's encrypted but between the VS and the web servers, the web servers are refusing to encrypt traffic and I can see data in plain text.

Forum Discussion

Cookie insert troubles

6 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Trouble applying GoDaddy certificate to a virtual server

Security Headers Insertion

Cookie-based DDoS protection

Decoding the IPv4 address from the persistence cookie

C3D and header insert