Clone, what does it do technically in an iRule?

check out this article concerning clone pools and port mirroring: http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html?sr=28731945

Hey thanks for the reply, unfortunately I have read that piece about 10 times already and I still have the questions I raised above. I am not a network engineer, I am a developer that got pushed into working on the F5 because I know a bunch of programming languages and I understand networking fairly well. I actually really enjoy working on iRules but in this case I do not understand exactly what is *supposed* to happen with clone pools in the VS and the clone command in an iRule. I really need a duplicate request sent to another pool. I see packets going to the pool but not a duplicate request. There is not a wealth of info about clone.

OK, let's see if I can help;

 

 

a) Yes, the entire packet in fact. The only thing modified is the L2 destination address

 

b) No

 

1) I don't believe so. It should be very easy to test I would have thought. As the clone command doesn't have a client | server option, I assume this is 'inherited' from the event context

 

2) No

 

3) It should do, as per 1) it should be easy to test and confirm

 

 

If you do test, please post back and let us know

 

I zero out the counters and then I run the rule above with a single request, these are the counters after. I see the request in the IIS log of app_pool but I I see no request in the IIS logs of the warning pool. I understand that the F5 is ignoring the response from the cloned traffic but why are the other numbers so different and why is there no request?

 

 

 

Bits Packets Connections Requests

 

Pool In Out In Out Current Maximum Total Total

 

app_pool 8.7K 247.8K 15 24 0 1 1 1

 

 

Bits Packets Connections Requests

 

Pool In Out In Out Current Maximum Total Total

 

wrn_pool 265.8K 0 47 0 0 2 2 0

 

 

I can't answer all your questions I'm afraid, as you note there's limited documentation available and nothing related to how statistics are recorded. I can though answer a couple (although there's no guarantee I'm right);

 

 

1) Why no requests? I assume this is because for a clone Pool (considering it's purpose) it's not recorded.

 

2) Why no IIS log entries? This is because your IIS server is dropping the traffic when it gets to the TCP stack. It's not destined for an IP address on that server so it's dropped. Note my earlier comment that only the L2/MAC destination address is modified.

 

 

I don't think Clone Pools are going to meet your requirements. Perhaps you can explain in full what they are and I can make some suggestions based on that?

When you start talking about Layer2 and the TCP stack, you are loitering on the outskirts of my knowledge, that's why I didn't respond appropriately to your earlier comment, sorry. Routers, firewalls, hubs, switches, etc. I am fine with and can have a loose conversation about them - but I'm not down with the stack you know, it's over my head.

 

 

Here's my situation. I have about a dozen servers sitting behind the F5 running six different applications with a couple servers in each pool. I needed a way to be notified immediately when an entire pool went down so that I could react to it. So I built another IIS/App "warning" server that would accept http requests destined for any of the app pools, decipher their original destination domain and then send emails and sms message out to our team. So when an entire pool goes down I use the pool command in an iRule to send it instead to my down-time-service pool and "warning" server. This all works swimmingly. What I decided to add was a new part of the rule that if just one of my two nodes for any particular pool goes down I would send the real request on through to the app pool but also send a clone of the request to my new node-down-service pool and "alert" server that would again decipher the original destination and alert the team that one of the nodes has failed so we can address it.

 

 

There is a better description of my situation with the actual iRule code here from last week:

 

https://devcentral.f5.com/community/group/aft/2166542/asg/50

OK, understood. I'm a network guy who knows a bit about programming, you're a programmer who knows a bit about networks! =]

 

 

So, the Clone Pool feature won't work here. When the traffic is cloned the original destination IP address of the Virtual Server the client connected to is unchanged, it's not automatically translated (as it would be when sent to a real server in the 'normal' Pool). Presumably a TCP three way handshake also doesn't occur. This is why this feature will generally only work with IDS/IPS security devices that inspect traffic below the TCP/IP layer.

 

 

Whilst I appreciate your approach, personally I'd prefer to do this via email, logging or SNMP. Do you have any options around these?

 

 

If not we'll probably need to look at using a Sideband connection but I won't explore that unless we have to.

 

Yes, I have an email relay in an adjoining DMZ to the F5 that I can use. I also mentioned in my original post about possibly using a sideband connection but we just upgraded to 10.2.4 HF5 over the weekend so I do not think it is available to me.

 

Also, if I am understanding you correctly about L2/mac re-write issue, the IIS server has an IP Binding for the IP address I have assigned -- but the traffic coming to that server has the original destination IP still in it from a higher layer so the IIS servers TCP stack is discarding it instead of accepting it as a valid request.

 

Yes, Sideband Connections are only available in v11. So, looks like email is the only way for now.

 

 

Here's some info on the how and what, if you need more please let me know;

 

 

To configure which events result in an alert email, as well as custom SNMP traps, edit the /config/user_alert.conf according to http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3667.html and http://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.

 

 

For outbound initiated administrative traffic sourced from the management interface IP address, the system will use the management routing sub-table. If there is no match, the TMM routing table will be used. Note: The management default route is not considered a match.

 

 

If a device is configured in Appliance Mode, SMTP email delivery cannot be configured as there is no way to edit the files as required.

Ok cool, I'll check all that out and let you know what I find. And thanks again for your help today.