Forum Discussion
duongnt_25195
Nimbostratus
NimbostratusBIGIP LTM Loadbalancing for Cache Farm with Client IP Spoofing feature.
Dear everyone.
Please help me with this topology.
Network topology attached as below.
Routing:
Cache farm using Bluecoat Cache Devices.
Default route of caches is BigIP VLAN 2's ip address (233.x.x.129)
Default route of BigIP is Vlan 3 on Multilayer Switch (MS) (233.x.x.230)
Vlan 1 of MS connect to Subscribers network and Vlan 2 connect direct to Internet router.
Configurations:
BIG-IP LTM:
I created two Pools:
Go_in_pool: has 3 members are three Cache devices (233.x.x.130-132)
Go_out_pool: has only one member: VLAN3 MS (233.x.x.230)
And two Wildcard Virtual Server associate with 2 pools:
Go_in_server:
- Destinations: Network 0.0.0.0/0.0.0.0
- Service Port: 0
- Type: Performance L4
- Protocol: All Protocol
- Enable on: VLAN 1 (external)
Go_out_server:
- Destinations: Network 0.0.0.0/0.0.0.0
- Services port: 0
- Type: Performance L4
- Enable on: VLAN 2 (internal)
Cache Device:
- Caching for HTTP Traffic
- Using Client IP Spoofing feature: This feature allow Cache devices sent HTTP Request to real server with IP address of client.
Multilayer Switch: Redirect traffic:
Rule 1:
- Flow: Vlan 1, ingress
- Source IP address: Subscribers IP address
- Destination port: 80
- Action: Redirect to 233.x.x.229 (BIG-IP SelfIP Vlan external)
Rule 2:
- Flow: Vlan 2, Ingress
- Destination IP address: Subscribers IP address
- Source Port: 80
- Action: Redirect to 233.x.x.229 (BIG-IP SelfIP Vlan external)
And now I have serious problem.
- When Client sent HTTP requset (www.example.com), MS redirect this request to F5. F5 sent to Cache1.
- Cache 1 check itself, if it has content for this request, it return for Client via F5 – This's OK.
- If Cache 1 does not has content, it act as client and sent request to real server (www.example.com) to get data.
- But when using Client IP Spoofing Feature, Cache sent request with source address of Client.
- When Real server reply, it sent packet HTTP response with destination IP is IP address of Client via Internet Router.
Internet Router sent this packet to MS. MS redirect this packet to F5.
At this point. F5 see this package as new request and sent to Cache farm
- IF F5 send this package to Cache1, Cache 1 has content and response to Client correctly.
- IF F5 send this package to Cache 2 or Cache 3, Cache 1 wait to time out for it's connection. And after time out, it send an error response to Client.
That's why our network too slow and has a lot of error sessions.
Please give me an advice to fix this case.
- The_BhattmanDo you have persistence turned on?
CB 
duongnt_25195Dear CB.
I tried enable persistence based on source address, dest address, ... but it seem to bad, client access internet more and more slowly.
When I disable persistence, Client go faster but there're alot of error session.- The_BhattmanDestination persistence is what is usually recommended for Proxy caches. I don't think that would be the root cause, but it could be pointing to another issues. Curiously is your network connection on the LTM and blue coat set to auto or is it hard coded?
CB - duongnt_25195Dear CB.
Both network connection on LTM and Blue Coat Caches set to auto.
I think problem is way F5 process traffic. Example, when Cache 1 sent request to www server (@ internet) with source IP address is Client IP address, and www server return with destination IP is Client IP address. At this point, Content Switch redirect traffic to F5, but I think F5 sent this traffic flow to another Cache. That's why internet connection to slow, cause Cache 1 still waiting response of www server. - The_BhattmanRereading your problem again I was thinking why would you need the client IP spoofing turned on. In other words why would you want to send the IP address of yoour client to the internet server?
CB - duongnt_25195Our network is an ISP. So we must enable Client IP Spoofing feature. If not, some download site like rapidshare, megaupload will limit quota for Cache IP, and then, client clould not download from these sites.
zekky_101290Could you please check if the auto last hop feature is enabled. This feature is found in system->configuration->Local Traffic->General.
This feature would make sure that the return traffic is sent to the same cache which initiated the connection.
Alex_3303an news for this issue?- The_BhattmanJust waiting back for a response post from duongnt.
CB - duongnt_25195Dear all.
Finally, I got support from F5 Technical and we have to use iRule.
I post this iRule here for reference.
when HTTP_REQUEST {
set High_Score -9999999999
set Node_Picked “”
set Pool_Picked pool_[expr {crc32 [HTTP::uri]} % 10]
foreach Cur_Node [active_members -list $Pool_Picked] {
if { [crc32 $Cur_Node[HTTP::uri]] > $High_Score } {
set High_Score [crc32 $Cur_Node[HTTP::uri]]
set Node_Picked $Cur_Node
}
}
pool $Pool_Picked member [lindex $Node_Picked 0] [lindex
$Node_Picked 1]
}
Note that this iRule requires version 9.4.2+. Change to
your pool name.
