Forum Discussion

wlopez's avatar
wlopez
Icon for Cirrocumulus rankCirrocumulus
Aug 19, 2021

iRule to disable OneConnect for a list of source IP addresses

I'm trying to resolve an issue with a legacy application that doesn't like OneConnect.

All traffic from the legacy application originates from a know list of source IP addresses, which I'm including in an iRule Data Group called 'Legacy_App'. The current iRule is sending traffic from those source IP addresses to a specific pool called 'pool_Legacy'. The virtual server has an http profile and OneConnect profile with a /32 netmask. All other applications connecting to the virtual server are working fine. I'm only looking for a way to disable OneConnect specifically for traffic coming from the addresses in the Data Group 'Legacy_App'.

This is what the current iRule looks like:

when CLIENT_ACCEPTED {
  if {[class match [IP::client_addr] equals Legacy_App]} {
    pool pool_Legacy
  }
}

I've seen the OneConnect options for iRules:

       ONECONNECT::reuse disable

       ONECONNECT::detach disable

Will adding one of those work?

Should they be used with the CLIENT_ACCEPTED event?

    • wlopez's avatar
      wlopez
      Icon for Cirrocumulus rankCirrocumulus

      Thanks for replying.

      I had read that article but am not clear of how to use it to accomplish my goal.

      I'm looking on how to take OneConnect completely out of the picture for all traffic originated from the list of IP addresses included in the "Legacy_App" iRule data group.

      Will something like this accomplish that?

          when CLIENT_ACCEPTED {
            if {[class match [IP::client_addr] equals Legacy_App]} {
              ONECONNECT::reuse disable
              pool pool_Legacy
            }
          }
      • Actually, "CLIENT_ACCEPTED" is not a valid event.

        I would use this instead:

        when HTTP_REQUEST {
          if {[class match [IP::client_addr] equals Legacy_App]} {
            ONECONNECT::reuse disable
            pool pool_Legacy
          }
        }

        Let me know if it works as expected.

        Regards,

        Dario.