You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CIS Version : 2.0
Build: f5networks/k8s-bigip-ctlr:2.0
BIGIP Version: Big-IP version v14.1.2.3
AS3 Version: 3.18
Agent Mode: AS3
Orchestration: OSCP
Orchestration Version: 4.3
Pool Mode: Cluster
Description
When using Edge termination and the client request includes an HTTP Header that is similar to the below then the openshift_passthrough_irule has a TCL error and terminate the TCP connection. Removing this HTTP Header allow the connection to pass.
This error is logged in /var/log/ltm when the connection is terminated:
Jun 16 16:26:19 slot2/ABC-OpenShift-LTM-1A err tmm1[11390]: 01220001:3: TCL error: /gp_1_nonprod_cis_AS3/Shared/openshift_passthrough_irule <CLIENTSSL_DATA> - list element in quotes followed by ","s-abcd_1234" instead of space while executing "lindex [SSL::payload] 1"
<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137
Observations (if any)
The text was updated successfully, but these errors were encountered:
Closing Github issue so there is no duplicate effort created. The SR will take a higher priority. F5 support requested to reproduce this issue and determine if its the CIS iRule or TLS policy that is dropping the header
Setup Details
CIS Version : 2.0
Build: f5networks/k8s-bigip-ctlr:2.0
BIGIP Version: Big-IP version v14.1.2.3
AS3 Version: 3.18
Agent Mode: AS3
Orchestration: OSCP
Orchestration Version: 4.3
Pool Mode: Cluster
Description
When using Edge termination and the client request includes an HTTP Header that is similar to the below then the openshift_passthrough_irule has a TCL error and terminate the TCP connection. Removing this HTTP Header allow the connection to pass.
HTTP Header iv-groups
'iv-groups: "s-abcd_1234","s-abcd_4567","s-efgh_1234","s-efgh_5678" '
This error is logged in /var/log/ltm when the connection is terminated:
Jun 16 16:26:19 slot2/ABC-OpenShift-LTM-1A err tmm1[11390]: 01220001:3: TCL error: /gp_1_nonprod_cis_AS3/Shared/openshift_passthrough_irule <CLIENTSSL_DATA> - list element in quotes followed by ","s-abcd_1234" instead of space while executing "lindex [SSL::payload] 1"
Steps To Reproduce
6 - Curl Using the iv-groups header - fails
curl -vik -H "accept-language: en-US,en;q=0.9"
-H "connection: Upgrade"
-H "host: blah.mydns.com"
-H 'iv-groups: "s-abcd_1234","s-abcd_4567","s-efgh_1234","s-efgh_5678" '
-H "iv-user: ZABCD123"
--resolve blah.mydns.com:443:10.1.1.2 https://blah.mydns.com
7 - Curl NOT Using the iv-groups header - Works
curl -vik -H "accept-language: en-US,en;q=0.9"
-H "connection: Upgrade"
-H "host: blah.mydns.com"
-H "iv-user: ZABCD123"
--resolve blah.mydns.com:443:10.1.1.2 https://blah.mydns.com
Expected Result
We get a response
Actual Result
TCP Connection is closes
Diagnostic Information
Observations (if any)
The text was updated successfully, but these errors were encountered: