Forum Discussion
JosephT
Nimbostratus
NimbostratusBack to basics - redirect to a virtual server
We're working on an irule to send connections to another virtual server based on a match on the X-forwarded header. The reason for this is so we can rate-limit the number of connections (by using Connection Limit on the virtual server) to the web servers if we need to.
So we have a 'dummy' pool that consists of a virtual server which has a pool of web servers and this irule:
when HTTP_REQUEST {
if { [HTTP::header "X-Forwarded-For"] == "4.4.4.0" } {
pool webcrawler.dummy.pool
event disable
}
}
When testing with a client and injecting an X-Forwarded-For address like this: "GET -seUd -H "X-Forwarded-For: 4.4.4.0" www.mysite.com" all I receive is "500 Server closed connection without sending any data back"
I also tried using node and the IP of the virtual server ie: node x.x.x.x 80 instead of pool, but that doesn't work either.
The only thing that does work is if I use pool webserver.pool or node webserver.ip 80
I discovered: "In version 9.4.0 and higher, 'virtual ' can be used to route the connection to another virtual server, without leaving the BIG-IP. This functionality did not exist in previous versions." We happen to be using 9.3.0
But we were told by F5 that we should be able to route the existing connection to a pool containing a virtual server (on the same ltm) containing a pool.
Any ideas?
- The_BhattmanAs a test can you try setting the snat to automap on virtual server that you are trying to?
Thanks,
CB 
JosephTI tried snat automap on the primary vs, then tried it on the other vs, then tried it on both vs's, but I get the same behavior.- The_BhattmanIf F5 is saying it should then I would talk to F5 tech support to see if you are running to a specific bug or some kind of limitation.
CB 
Nat_ThirasuttakornEmployee
another idea is setting static arp using bigpipe (not linux arp command)
b arp
let say vip matches address of vlan x, use bigpipe command to get mac address of that vlan
b vlan show all
btw, you may put log in LB_SELECTED to see if it has been called
log local0. [LB::server]
also check b arp to see if you can see entry for virtual address that said "incomplete"
hoolioCirrostratus
If you can't upgrade to 9.4.0+, you should be able to use a loopback plug on two LTM switch ports and then specify a VIP as another VIP's pool member. Here are a few related posts where at least one person said they were able to get it working:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=46384643
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=1245312475
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=1321813218
If you do get this working, can you post a sample configuration for future reference?
Thanks,
Aaron- hoolioAlso, you can use IP::addr (Click here) to compare the XFF value to the IP address. This will be more efficient than a string comparison.
[IP::addr [HTTP::header "X-Forwarded-For"] equals 4.4.4.0]
And if you're selecting a pool for some HTTP requests, you should make a pool selection for all others in the iRule. This ensures that requests make it to the correct pool. If you don't want to hard code the pool name in the iRule you can use 'LB::server pool' to get it before the selected pool has been modified on the TCP connection:when CLIENT_ACCEPTED { Save VIP's default pool name set default_pool [LB::server pool] } when HTTP_REQUEST { if { [IP::addr [HTTP::header "X-Forwarded-For"] equals 4.4.4.0] } { pool webcrawler.dummy.pool } else { pool $default_pool } } } Aaron
