Forum Discussion

Stanislas_Piron's avatar
Stanislas_Piron
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017

ACCESS::session behavior within ACCESS_* events

I have a question about ACCESS::session command which suspends execution of irule.

 

In k12962, there is this note:

 

Note: When you run the ACCESS::session command, iRule execution on the connection will be suspended until the operation completes only if the session database record is held by another TMM; this situation allows the current TMM to retrieve the data from the other TMM before processing the remainder of the iRule.

 

When evaluating ACCESS_SESSION_ALLOWED, does it suspend IRule processing as this is an APM event?

 

Same question for other APM events!

 

application delivery
BIG-IP Access Policy Manager (APM)
iRules
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Nov 21, 2017

    Hi Stanislas,

    you can easily detect connection parking/suspending situations by measuring the 

    [clock clicks]
    needed to execute the individual 
    ACCESS::session
    commands. If the connection gets suspended it will take way more than 50 clicks and if not it will take less clicks...

    I've once reverse engineered the connection suspending behavior for 

    [table]
    and 
    [ACCESS::*]
    commands on a CMP-enabled plattform and came to the following conclusion.

    General rules for TMM distribution:

    • The underlying TCP/UDP connection will use the CMP-hash settings (IP or IP+Port) to select the owning TMM instance.
    • The 
      [table]
      command will use a hash of the KEY value to select the owning TMM instance.
    • The 
      [table -subtable]
      command will use a hash of the subtable-label to select the owning TMM instance.
    • The 
      [ACCESS::*]
      commands will use a hash of the SID to select the owning TMM instance.

    General rule for connection suspending:

    • A connection suspending situation will ocour if the TMM instance where the 
      [table]
      or 
      [ACCESS::*]
      command is executed is not the owning TMM instance.

    APM specific behavior:

    • The underlying TCP session of the HTTP request that initiates a new APM session will be CMP-hash distributed to a given TMM (lets say TMM0)
    • The 
      ACCESS_SESSION_STARTED
      will be processed on the TMM core of the underlying TCP session (still TMM0)
    • During 
      ACCESS_SESSION_STARTED
      a (slightly pseudo) random SID will be generated, where the hash of the just created SID always routes the responsibility for that APM session to the local TMM (still TMM0 in this case)
    • In a non-clientless mode, the client may open multiple keep-alive TCP session to fetch the login pages where each TCP session may be CMP-hash distributed to a different TMM (TMM0, TMM1, ect.)
    • From here it depends on the underlying TCP session the client has used to POST-back login page information.
    • If the underlying TCP session is handled by the TMM which has processed the 
      ACCESS_SESSION_STARTED
      event no connection parking situations will happen while executing 
      [ACCESS::*]
      commands.
    • If the underlying TCP session is handled by a different TMM a connection parking situations will happen everytime while executing 
      [ACCESS::*]
      commands.

    How to repro my observations:

    Create a VPE with a pattern like that: 

    START -> iRule Action -> MSGBox -> iRule Action -> MSGBox -> iRule Action -> DENY

    Use the following iRule to measure the time needed and to output the used TMM instance.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    log local0.debug "Path: [HTTP::path]"
}
when ACCESS_SESSION_STARTED {
    set start [clock clicks]
    set test [ACCESS::session data get "blub"]
    set stop [clock clicks]
    log local0.debug "APM session initialized on TMM[TMM::cmp_unit]. ACCESS command took [expr { $stop - $start }] clicks"
}
when ACCESS_POLICY_AGENT_EVENT {
    set start [clock clicks]
    set test [ACCESS::session data get "blub"]
    set stop [clock clicks]
    log local0.debug "We are on TMM[TMM::cmp_unit] now. ACCESS command took [expr { $stop - $start }] clicks"
}
when ACCESS_POLICY_COMPLETED {
    set start [clock clicks]
    set test [ACCESS::session data get "blub"]
    set stop [clock clicks]
    log local0.debug "We are on TMM[TMM::cmp_unit] now. ACCESS command took [expr { $stop - $start }] clicks"
}

    Log outputs on a test system with 2 TMM cores:

    tmm[13406]: Rule /Common/Test : Path: /
tmm[13406]: Rule /Common/Test : APM session initialized on TMM0. ACCESS command took 15 clicks
tmm[13406]: Rule /Common/Test : Path: /my.policy
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 15 clicks
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm1[13406]: Rule /Common/Test : Path: /my.policy
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 201 clicks
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm[13406]: Rule /Common/Test : Path: /my.policy
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 16 clicks
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 14 clicks
tmm[13406]: Rule /Common/Test : Path: /vdesk/hangup.php3

tmm1[13406]: Rule /Common/Test : Path: /
tmm1[13406]: Rule /Common/Test : APM session initialized on TMM1. ACCESS command took 14 clicks
tmm1[13406]: Rule /Common/Test : Path: /my.policy
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 12 clicks
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm1[13406]: Rule /Common/Test : Path: /my.policy
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 16 clicks
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm[13406]: Rule /Common/Test : Path: /my.policy
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 611 clicks
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 564 clicks
tmm[13406]: Rule /Common/Test : Path: /vdesk/hangup.php3

tmm[13406]: Rule /Common/Test : Path: /
tmm[13406]: Rule /Common/Test : APM session initialized on TMM0. ACCESS command took 12 clicks
tmm[13406]: Rule /Common/Test : Path: /my.policy
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm[13406]: Rule /Common/Test : We are on TMM0 now. ACCESS command took 16 clicks
tmm[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm1[13406]: Rule /Common/Test : Path: /my.policy
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 205 clicks
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_message_box_form.eui
tmm1[13406]: Rule /Common/Test : Path: /my.policy
tmm1[13406]: Rule /Common/Test : Path: /renderer/agent_irule_event_form.eui
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 193 clicks
tmm1[13406]: Rule /Common/Test : We are on TMM1 now. ACCESS command took 105 clicks
tmm1[13406]: Rule /Common/Test : Path: /vdesk/hangup.php3

    Note: Keep in mind that those informations are based on reverse engineerings. They may or may not be 100% acurate, but for now it seems they are at least 99% correct... 😉

    Cheers, Kai