Jump to content
Welcome to our new Citrix community!

Responder policy not working for Content switching vserver


Pawel Rzepa

Recommended Posts

Hi,

 

I faced strange behaviour related to responder policy bound to a content switching vserver.

 

One of the requirements for my content switching vserver was to block access when the request come to the specific IP address. I believed that a responder policy is something I could apply here.

My configuration (only relevant part is pasted) is as follows:

 

add cs vserver test_cs_10.10.10.10_443 SSL 10.10.10.10 443

add responder policy RES_PLC_BLOCK_IP_10.10.10.10 "HTTP.REQ.HOSTNAME.EQ(\"10.10.10.10\")" RESET

bind cs vserver test_cs_10.10.10.10_443 -policyName RES_PLC_BLOCK_IP_10.10.10.10 -priority 70 -gotoPriorityExpression END -type REQUEST

 

But it doesn't work. I mean traffic comming to the 10.10.10.10 is not reset, 'show policy responder RES_PLC_BLOCK_IP_10.10.10.10' shows 0 Hits.

 

So I tried to configure it in a different way. I defined an LB vserver with exactly the same responder policy applied, then applied CS policy to my CS vserver, that redirect traffic to my new LB vserver:

 

add lb vserver RESET_VS_0 HTTP 0.0.0.0 0
bind lb vserver RESET_VS_0 -policyName RES_PLC_BLOCK_IP_10.10.10.10 -priority 100 -gotoPriorityExpression END -type REQUEST

 

add cs action CS_ACT_RESET_REQUEST -targetLBVserver RESET_VS_0
add cs policy CS_PLC_BLOCK_IP_10.10.10.10 -rule "HTTP.REQ.HOSTNAME.EQ(\"10.10.10.10\")" -action CS_ACT_RESET_REQUEST

bind cs vserver test_cs_10.10.10.10_443 -policyName CS_PLC_BLOCK_IP_10.10.10.10 -priority 130

 

And it works.

But does it mean that I cannot use Responder Policies for content switching vservers? I'm sure I did it somewhere it the past and it worked.

VPX 12.1

 

Any help appreciated.

 

Link to comment
Share on other sites

14 hours ago, Elias Winburne said:

Hi Pawel,

I noticed your responder policy was set to "-priority 70" which implies you have ones before this one... If I am using a blocking approach, I would make it "-priority 10" so that it is matched first... Make sense?

Elias

Thanks for your reply.

My priority of 70 is the highest one for this vserver.

There are some other content switching policies bound to this cs vserver, but by default they start with priority 100. That's why I added the responder policy with priority 70, to make it the most preferable.

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...