Forum Discussion

tminfw2's avatar
tminfw2
Icon for Nimbostratus rankNimbostratus
Dec 26, 2014

APM profile with OCSP Authoring and Clientless mode configured, but need to reload page

Situation:

 

we have 2 F5 boxes lined after each other:

 

the first one handles APM, ASM and LTM

 

the second handles LTM (mainly used as a loadbalancer)

 

On the first box, we have a virtual server with an APM profile linked to it. In this APM profile, we request that clients send a certificate, which gets verified through OCSP. If allowed, then the client is forwarded to one of 2 virtual servers on the second box. (Handled by an irule)

 

The clients which will use this infrastructure can't handle redirects, so I have added an extra irule which puts this configuration into clientless mode. (Adding header clientless-mode)

 

However, when I try to access one of the 2 possibilities, I get a 404 page. Refreshing it (which also sends cookies I got in the first 404 reply) shows the page I request. Is there a way that I get to the page immediately without refreshing?

 

APM
application delivery
availability
LTM
security

8 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Dec 26, 2014

    what causes the 404? is the backend server expecting something that isn't send the first time?

     

    also how do you request the certificate, if it is needed you could also do it via the ssl client profile and perhaps inspect it in the apm policy.

     

  • tminfw2's avatar
    tminfw2
    Icon for Nimbostratus rankNimbostratus
    Dec 26, 2014

    As far as I know, the backend server doesn't expect something specific. (I only click the refresh button in my browser)

     

    What surprises me even more, is that when I access the other possibility, I never get a 404. Instead I get a 200 and the page I requested.

     

    In short:

     

    Irule that determines the destination:

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] starts_with "/xxx/" } {

     

    node IP_address_VS2 80

     

    } else {

     

    node IP_address_VS3 80

     

    }

     

    }

     

    when I have VS1 -> VS2, I get a 404. Refreshing gives me a 200 and the requested page

     

    when I have VS1 -> VS3, I get a 200 and the requested page

     

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Dec 26, 2014

    You could try to add some logging in your iRule just to verify where things are going and what the URI is. Then from the CLI (using PuTTY or some other SSH client and command 

    tail -f /var/log/ltm
    ), or the log section of the F5 admin site, and see what gets logged to verify you're getting the right routing. 

    when HTTP_REQUEST {
    log local0. "URI: [HTTP::uri]"

    if { [HTTP::uri] starts_with "/xxx/" } {
        log local0. "  Routing to IP_address_VS2"
        node IP_address_VS2 80
    } else {
        log local0. "  Routing to IP_address_VS3"
        node IP_address_VS3 80
    }
}

    you could also loop and log the cookies that exists for the request if those matter on the back end.

    log local0. "  Cookies:"
foreach cookie [HTTP::cookie names] {
     Log the cookie name and value
    log local0. "  $cookie: '[HTTP::cookie value $cookie]'"
}
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Dec 27, 2014

    personally i don't see why virtual server routing would be the issue? you go to vs2 or vs3 and one causes the first time a 404, but not afterwards.

     

    i think the only cause of the 404 can be the backend server. so determine if this is case with tcpdump and check if there is a difference on the first and the second request.

     

    a nice test would also be to directly access the backend server, does it work fine on the first try then? check the difference between that request and the one through the BIG-IP.

     

  • tminfw2's avatar
    tminfw2
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2014

    Simultaneously, I created a support case at F5 for this problem. During the investigation, I have found something interesting. VS1 has snat activated. Using the SNAT address, and added logging in the irule I mentioned above, I checked the network captures and found this:

     

    the first time I make a request, I see the GET being delivered to VS3 instead of VS2. However, in my LTM logs, the irule I mentioned above logs that VS2 will be used. When I do a refresh, I see the GET package now being delivered correctly to VS2. It is as if the irule isn't executed correctly the first time, or the node command is not executed the first time the irule is called.

     

  • tminfw2's avatar
    tminfw2
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2015

    In the meantime, we have found a solution for this problem:

     

    there seems to be an issue with using an apm profile together with irules which use the node or pool command. Instead, I created now a forwarding policy in LTM which takes over the role of the irule. In this policy, I defined the forwarding to VS2/VS3 based on http-uri. (2 rules were created in the policy, 1 for each VS)

     

    Tested this with my browser and an external client. Both work ok now