Forum Discussion

aefting's avatar
aefting
Icon for Altostratus rankAltostratus
May 07, 2019

Using iRules with DTLS

Per F5 support, I've implemented DTLS for our Network Access APM VPN connections. The problem is that I have an irule that evidently needs an HTTP profile to work and I don't have that available in my DTLS virtual server. Here is the error I'm getting:

 

01071912:3: ACCESS::restrict_irule_events in rule (/Common/EmoryLogging) requires an associated ACCESS profile on the virtual-server (/Common/EmoryVPN_DTLS_vs).

 

Any ideas on how to fix this? I'll post my irule below.

 

APM
iRules
security

2 Replies

Sort By
  • Philipped's avatar
    Philipped
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2019

    Hi,

     

    I see your post is 4 months old and I am trying to find a solution to this issue as well.

    Have you found a solution or are you still looking for one?

     

  • aefting's avatar
    aefting
    Icon for Altostratus rankAltostratus
    May 07, 2019

    Here is my irule:

    when CLIENT_ACCEPTED { This is required to allow HTTP_REQUEST event to key off of APM internal URI ACCESS::restrict_irule_events disable }

    when ACCESS_POLICY_COMPLETED {

     After VPE policy is completed, check if user has been denied. A session variable of "session.custom.denyreason" is set in the VPE to provide an errorcode for logging purposes
 Note that ACCESS::policy result isn't evaluated in the ACCESS_SESSION_CLOSED event. Placing the logging here removes the need to create a new session variable containing the result.

if {[ACCESS::policy result] equals "deny"} {
      catch {set starttime [ACCESS::session data get "session.user.starttime"]}
      catch {set userip [ACCESS::session data get "session.user.clientip"]}
      catch {set username [ACCESS::session data get "session.logon.last.username"]}
      catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
              catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
              catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
      catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
      catch {set platform [ACCESS::session data get "session.client.platform"]}
              catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
              catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
      catch {set browser [ACCESS::session data get "session.client.type"]}
      catch {set version [ACCESS::session data get "session.client.version"]}
      catch {set url [ACCESS::session data get "session.server.network.name"]}
              catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
      catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]}  
      log local0. "Denied ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"

    } } when HTTP_REQUEST {

     The "session.assigned.clientip" is assigned after ACCESS_POLICY_COMPLETED and before ACCESS_SESSION_CLOSED. In order to capture it, we key off of an internal URI 
 hit by client when VPN is established. We wait a few seconds for the lease pool IP address to be assigned and then log the address here. 

if { [HTTP::uri] starts_with "/myvpn?sess=" } {
    after 5000 {
    catch {set starttime [ACCESS::session data get "session.user.starttime"]}
    catch {set userip [ACCESS::session data get "session.user.clientip"]}
    catch {set username [ACCESS::session data get "session.logon.last.username"]}
    catch {set sessionid [ACCESS::session data get "session.user.sessionid"]}
    catch {set assignedip [ACCESS::session data get "session.assigned.clientip"]}
    catch {set assignedresources [ACCESS::session data get "session.assigned.na.current"]}
    catch {set geolocationcountry [ACCESS::session data get "session.user.ipgeolocation.country_name"]}
    catch {set platform [ACCESS::session data get "session.client.platform"]}
            catch {set avstatus [ACCESS::session data get "AVcheckFailed"]}
            catch {set fwstatus [ACCESS::session data get "FWcheckFailed"]}
    catch {set browser [ACCESS::session data get "session.client.type"]}
    catch {set version [ACCESS::session data get "session.client.version"]}
    catch {set url [ACCESS::session data get "session.server.network.name"]}
            catch {set macaddr [ACCESS::session data get "session.last.usermac"]}
            catch {set denyreason [ACCESS::session data get "session.custom.denyreason"]} 
    log local0. "Established ([clock format $starttime -format {%d %b %Y %T %Z}]|$assignedresources|$sessionid|$username|$userip|$assignedip|$geolocationcountry|$avstatus|$fwstatus|$platform|$browser|$version|$url|$denyreason|$macaddr)"
}  
}

    }