Forum Discussion

mbkosiba_310067's avatar
mbkosiba_310067
Icon for Nimbostratus rankNimbostratus
Sep 20, 2017

Cookie insert troubles

I am trying to do cookie-insert persistence along with an iRule that sets the domain value for the cookie. Whenever I have all of the parts together on the virtual server (http profile, cookie persistence profile, iRule) I just get resets. I don't even get through to the site however if I strip all of these off I get to the site just fine. No combination of one or more of these settings work.

 

Not sure what is going on. Here is the code in the iRule I am using.

 

when HTTP_RESPONSE {

    Check if the persistence cookie exists in the response
   if {[HTTP::cookie exists "MS-WSMAN"]} {
       set the domain attribute on the persistence cookie
      HTTP::cookie domain "MS-WSMAN" "domain"
   }
} 
  • Do you have an http profile on your virtual server? You must have an HTTP profile to use an HTTP irule. Also, if you take a packet capture with full noise, what is the listed reason for the resets? It will be visible in wireshark as a plain text addendum to the packet. To take a full noise capture:

    tcpdump -s0 -i :nnn -w /var/tmp/.pcap

    Note: edited to restore the formatting of the suggested capture string

  • Hi,

     

    If you have tcp resets because of this irule, you may have tcl errors in /var/log/ltm file.

     

  • Yeah I have the http profile on. I'm taking a look at running this capture now. I found that I only need the cookie insert persistence profile on with the name of the cookie I need and it inserts as desired so the iRule doesn't seem to be needed. I can get this working fine on port 80 but with port 443 I'm seeing the resets. I have the service certificate but it is looking like there is an issue with the certificate. I can take every setting off including the certificate making it a very plan VS - the site comes up but if I simply add the cert which is simple to do I'm getting resets.

     

  • I assume you are creating a new virtual server on port 443 with the certs? If you are just adding the cert, then you would need to test with an explicit port (since the virtual server will be listening on port 80):

    https://..:80/

  • Yeah I have a VS for ports 80 and 443 however what I am seeing is this. If I put the cert for the application via an SSL profile on and the generic SSLServer profile on, connections get reset immediately. If I do the same thing but instead put the server-ssl-insecurecompatible profile on in place of the generic SSLServer profile on then all works fine. Taking a packet capture seems to suggest that between the client and the VS, traffic get's encrypted but between the VS and the web servers, the web servers are refusing to encrypt traffic and I can see data in plain text.

     

  • If you are adding a server-ssl-insecurecompatible profile then the back end should be encrypted, just with a weak cipher. In order to have plain text on the back end you would need to remove the serverssl profile entirely.

     

    I will assume that you are changing to a 443 pool when you add the serverssl profile, in which case you likely need to upgrade the servers to support better ciphers.

     

    To explain a bit more, the serverssl profile tells the BigIP to open a connection with the pool member and send a Client Hello. Without this, the BigIP will start with your chosen HTTP Method (normally GET). With a serverssl profile no HTTP data will be transferred until after the SSL connection has been established.

     

    The insecurecompatible profile uses less secure ciphers than the regular profile, but otherwise behaves exactly the same. No HTTP data will be transferred until after the SSL connection has been established.