Using the Web Applications Engine Trace
Overview of the Web Applications engine trace
The FirePass Web Applications engine trace feature provides an easy way for you to capture logs of user Web sessions. Use this trace feature when a user has trouble connecting to a Web site while using a FirePass Web Applications session. The logs provide detailed information about how the FirePass controller is translating the data stream.
Situations when you would use the Web Applications engine trace feature include the following:
- If a Web page is not displaying properly on a client computer.
- When there are non-HTML elements on a Web page that a client computer is trying to access. For example, if a Web page includes XML, Flash, or ActiveX components, and a client computer cannot access the page.Note
Web pages may not load properly if you are using gzip compression. As a first troubleshooting step, disable gzip compression on the Portal Access : Caching and Compression screen.
Using the Web Applications engine trace
The trace feature creates logs that are intended for use by F5 Networks engineers, but you can use them to help pinpoint the causes of problems with Web pages. You can open the logs in a text editor, review them, and delete passwords and sensitive information before sending them to F5 Technical Support. For more information about reviewing Web Applications engine trace logs, see Analyzing Web Application engine traces .
To use the Web Applications engine trace
- Have the user who is experiencing problems log in.
- Connect to the FirePass controller's Administrative Console using a Web browser.
- Log in as administrator.
The Device Management Welcome screen displays.
- In the navigation pane, expand Maintenance.
- Click Troubleshooting Tools.
The Troubleshooting Tools screen displays.
- In the Web Applications engine trace area, type the user's name in the User box, and click Get user sessions to get a list of active sessions for the user.
A session ID and status display.
- Click Connect for the session you want to trace.
The Web Applications engine trace begins tracing the session, and the Connect link changes to a Download link.
- Have the user start a session and connect to the problem Web page.
- After the user experiences the problem and the page finishes loading, click Download to save the trace file to your local hard drive.Note: If the Web page does not fully load, the trace file may be empty.
About the trace files
The Web Applications engine trace creates a zipped file with a default name of ur_debug.zip. You can open this zipped file to see its contents.
Table 10.1 lists the files contained in the zipped file. You can open any of these files in Notepad or another text editor.
Table 10.1 Contents of the Web Applications engine trace zip file File name Contents <n>.in Data coming into FirePass controller from the Web site accessed by the user session. <n>.out Data from the Web site, after it has been processed by the FirePass controller. <n>.log A log of data that the FirePass controller and the Web Applications engine trace changed. <n>.dbg Data from the Web site after being process by FirePass controller (the contents of the .out file), with additional state-change information.
Analyzing Web Application engine traces
The files created by the Web Application engine trace contain data you can look at in a simple text editor like Notepad. Much of the content is unreadable, but some of it is readable. Comparing the contents of the .in file (data coming into the FirePass controller from the accessed Web site) and the .out file (the same data after the FirePass controller has processed it) can be useful in troubleshooting problems.
To compare trace file content
- Open the <n>.in file in a text editor.
- Open the corresponding <n>.out file in a second text editor window.
- Compare the incoming data (the <n>.in file) and the processed data (<n>.out), focusing on URLs and anchor tags (<a href=...>).
FirePass controller processing converts all URLs and anchor tags. Processed URLs contain the host name of the FirePass controller, as well as converted paths. The paths are converted to hide their true locations. A converted path starts with i-tr-.
- Find the point at which the FirePass controller processing stops replacing URLs or paths. The problem code exists immediately prior to this point.
Once you have made this comparison, and located the point where the controller processing stops, you can use this information to find and fix several types of problems.
Fixing common problems
If you are able to identify the place in the trace where the problem occurs, you may be able to fix the problem.
Most problems are caused by one of three things:
HTML syntax errors
HTML syntax errors are common. Frequently they are invisible or cause only minor problems with a Web page's appearance, but Web pages with syntax errors can also result in significant problems in certain browsers or when viewed using a FirePass Web Access connection.
To find HTML syntax errors
Start with the trace files you created using the Web Applications engine trace (see Using the Web Applications engine trace ).
- Compare the contents of the <n>.in file and the <n>.out file and locate the point where the FirePass controller stopped converting the URLs.
- Look at the HTML source code immediately preceding the error point. This is where you would find HTML syntax errors that can cause problems. Errors include missing quotes, doubled quotes, and unclosed tags.
Fixing HTML syntax errors
If you do find an HTML syntax error, you can correct it in one of several ways: you can edit the source HTML, you can use the FirePass Content Cleaning feature, or you can correct the HTML error using a sed script.
Fixing HTML syntax errors by editing the source HTML
The easiest way to fix HTML syntax errors is to correct them on the Web page itself. To do this you need access to the Web server and the source Web pages. If you have this access, correct the error on the page.
Using the Web Applications content cleaning feature to fix HTML syntax errors
If you cannot correct the syntax error on the source HTML page, you can use the FirePass Web Applications content cleaning feature to fix the syntax error. The content cleaning feature only works on HTML and plain text.
To use the content cleaning utility
- In the Administrative Console, on the navigation pane, click Portal Access.
The Portal Access : Web Applications : Group-based Settings screen displays.
- On the navigation pane, click Content Processing.
The Portal Access : Web Applications : Content Processing screen displays. By default the Preprocessing Scripts tab is selected.
- In the Web Applications Content Cleaning area, type the URL for the page that contains the HTML syntax error.
- Click Update.
The URL's patterns are saved.
- To verify that the cleaning utility worked, compare <n>.out files from before and after using the cleaning utility.
Using Web Applications content processing scripts to fix HTML syntax errors
If the problem continues after you use the content cleaning feature, you can create a sed script to fix specific HTML errors dynamically. Sed is an editor you can use to create a script that will be used on the incoming data from the problem Web page.
To fix an HTML error using a sed script
- On the navigation pane, click Portal Access.
- Click Content Processing.
The Portal Access : Web Applications : Content Processing screen displays.
- In the Web Applications Content Processing Scripts area, click Add New to add a new sed script.
The editing fields for the sed script display.
- Type a script name in the Processing script name box.
- In the URL match patterns box, type a URL for the Web page that is causing problems. Use a comma if you type more than one page.
- Type the script in the Sed processing script box.
- Select an option from the Processing list. The option specifies when the script will run to process the content. For more information, see the online help for the Portal Access : Web Applications : Content Processing screen.
- To add the new sed script and processing configuration, click Add New.
Java applet code issues
A signed Java applet is an applet containing a signature that verifies the source of the applet. If a signed Java applet refers to an internet site other than the site the applet came from, the FirePass controller cannot make the appropriate host name or path substitutions in the URL, because making substitutions invalidates the applet signature.
In these situations, you cannot use a FirePass Web Application Access connection to access the problem Web site. Instead, use Application Access (App Tunnels) or Network Access.