For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Feb 11, 2010

Connection Mirroring and IRule Problem

Hi All,

 

 

New to the wonderful world of F5 and getting this error when trying to run connection mirroring and iRule.

 

 

This is the iRule we're using to permit only trusted IP Addresses access to the real and virtual servers. Pretty basic iRule. We apply this to all forwarding VIPS and Virtual Servers.

 

 

when CLIENT_ACCEPTED {

 

 

if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{

 

 

Uncomment the line below to turn on logging.

 

log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"

 

 

} else {

 

 

Uncomment the line below to turn on logging.

 

log local0. "Invalid client IP: [IP::client_addr] - discarding"

 

discard

 

}

 

 

}

 

 

Here's what happens...

 

 

* If iRule is applied to the VIP, we can't enable connection mirroring.

 

 

01070734:3: Configuration error: Mirroring is not supported on virtual servers that have cmp disabled and are configured with a fastL4 profile (VMTEST_HTTP)

 

 

* If connection mirroring is already enabled on the VIP, we can't add the iRule.

 

 

01070734:3: Configuration error: Mirroring is not supported on virtual servers that have cmp disabled and are configured with a fastL4 profile (VMTEST_HTTP)

 

 

Appears to be one of the other...why is this so???

 

 

Our VIPS are using a fastL4 profile. Not 100% sure about cmp, read what I can find about it but it appears to be some feature that allows the CPU to load share the work load better.

 

 

Any help would be appreciated.

 

 

Thanks.

 

 

Andy
config
design

3 Replies

  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Feb 11, 2010
    I'm not sure why mirroring and a cmp disabled virtual server are incompatible. However, the easy and obvious fix is to change: 

     
  if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{

    to 

     
  if { [matchclass [IP::client_addr] equals trustedAddresses] }{

    Usually, the "$::" prefix refers to a global variable, which is not compatible with CMP. On recent versions (9.4.2 (I think) and later) removing the "$::" will allow the matchclass command to work, while not making the system think you are using a global variable. This will also allow your virtual server to run on all processors, not just one (this is what CMP is), which can have a significant performance impact.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2010
    Hi Andy,

     

     

    Also, if the connections through the VIP are short lived, connection mirroring is generally not worth the additional resources it requires. Specifically, for HTTP, it doesn't make sense to use connection mirroring as the protocol can handled a brief drop at the TCP layer. So if there is a failover, HTTP clients should recover automatically or with a refresh of the page.

     

     

    Connection mirroring makes more sense for long lived connections that don't handle TCP resets, like telnet. SOL7222 has details on this:

     

     

    SOL7222: Overview of connection and persistence mirroring

     

    https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7222.htmlbestpractice

     

     

    Aaron
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2010
    Hi Aaron,

     

     

    I've read that article you mention. Thanks for the link.

     

     

    What about such things as proxy servers that handle http requests. We load balance 10+ proxy servers on the F5. All currently have connection mirroring enabled. Not 100% sure if they should have connection mirroring enabled or not.

     

     

    Cheers.

     

     

    Andy