Forum Discussion
Josh_Hildebran1
Nimbostratus
Nimbostratusconnection pooling proxies & cookie persistence
I did some sniffs of external and internal NICs on my BigIP and filtered by a single IP address which I believe to be a proxy server of some type.
I wrote a Ethereal filter that shows all the bad HTTP requests that are going to the wrong node, based on the cookie that is inserted by the F5 not matching with the node it was sent to.
It appears that this proxy server is doing TCP connection pooling and is just sending random requests down open connections to the same VIP IP address. And the F5 isn't looking at the cookie's in each request to see if it needs to redirect the HTTP.Request to some other node. This is bad when there are numerous people/browsers all hitting our VIP from behind this proxy. Their requests are being randomized by the connection pooling done by their proxy server. That sort of kills my cookie-insert persistence!
I'm not sure what to do. What is the official or unofficial stance from F5 or others on this?
Clearly, I could probably write an irule to make this one src IP go to a different pool. Perhaps a pool that has priorities set, so only one server is used at a time. But, I'd rather find a different way to handle it. This must be a common issue w/ all clients trying to use cookie persistence. I'd rather not have to make a list of naughty-connection-pooling-proxies for an irule.
-Kyoo
- We here at DevCentral are the folks who work on the API (iControl) and the onboard packet inspector/scripting language (iRules). If you have a question about building iControl apps or writing iRules, this is the place for you.
If this is an iRules related question, please provide us some more information, like the rule in question, and some of the configuration (pool, VIP, etc) surrounding the problem.
If this isn't an iRules problem, then unfortunately, this isn't the place for product technical support. We simply aren't staffed to handle that side of things. You'll need to talk to the folks in our product support department for questions like these.
They can be easily contacted here: Click here - https://websupport.f5.com/csp/logon.asp
A good place to start looking for information is often Click here - http://tech.f5.com/askf5/jsp/combined/index.jsp
Thanks,
-Colin 
James_Clover_40I have the same problem. I'm using the BigIP to balance between my Portal servers and some back-end servers. When the BigIP sees an HTTP connection for the second time, it ignores the whole cookie insertion persistence logic.
I'm looking at writing an iRule for this and saw your post. Didja figure it out?
Thanks,
James
Josh_Hildebran1Hi James.. I solved, it but not with an iRule. Here was the Tech Support response that helped me solve this issue.
Hi Josh,
You are correct in that BIGIP is not looking for cookies in connections once the session is established. This is by design, the idea being that once a session is established, there is no longer a need to make a loadbalancing decision (ie, look for a cookie).
However, with the OneConnect profile, we should be able to get BIGIP to inspect every header. I would like you to try the following:
--create a custom OneConnect profile based on the stock OneConnect profile
--adjust the source mask to 255.255.255.255
--apply this new OneConnect profile to your virtual and retest.
This should force BIGIP to inspect for cookies.
Here is some information on OneConnect for you:
http://tech.f5.com/home/bigip-next/manuals/bigip9_2_2/bigip9_2_2config/BIG-IP_9_2_2ltm_guide-06-1.htmlwp1187154
Let me know how it goes.
Thanks!
Lynn Curtis
F5 Networks Support | www.f5.com
International: +800-11275435 | USA: 1-888-882-7535- James_Clover_40Josh,
Thanks for the help - I had actually arrived at this fix independently, but verification is great!
Thanks again,
James