cookie persistence not working in iRule

Question

I have the below Irule which sets cookie persistence on a specific HTTP request based on a field in the URI and then again on LB Select (didn't think it was needed but it's not working :-))  But when I run the Irule, the log (below screen show) shows the connections bouncing between pool members 10.110.3.12 and 10.110.3.11 so no persistence.  Any help would be much appreciated.&nbsp;
&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /login?sso=b&amp;service=https%3A%2F%2Foam-qaq.infarmbureau.com%2FCSPWeb%2Flogin.csps &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : SSO Pool selected by URI or IP is pool-B&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.12 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.12:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /css/oam.css &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /js/oam_login.js &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /js/cufon-yui.js &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.12 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.12:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/logo.png &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.11 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.11:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/paperless.jpg &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /js/jquery-1.11.0.min.js &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.12 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.12:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /js/lanee_400.font.js &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.11 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.11:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/connect_with_us.jpg &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : 10.110.3.12 is the pool member selected&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : Request from client: 10.141.4.1 contains no cookie BIGipServerap-tcsso.infarmbureau.com_https_pool on vip /Common/ap-tcsso.infarmbureau.com_https_vs; request was assigned to pool /Common/ap-tcsso.infarmbureau.com_https_pool and member 10.110.3.12:443&nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/auto_id_card.jpg &nbsp;
Apr 14 15:10:35 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/bar.png &nbsp;
Apr 14 15:10:36 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : URI = /images/vertical_red_bar.jpg &nbsp;

iheartf5_45022 · Answer

Why don't you assign a persist cookie insert profile to your vs so you don't need to use the iRule to touch it?
ltm persistence cookie my_ck {
    cookie-name my_ck
    defaults-from cookie
    method insert
}

Also do you have the oneconnect profile enabled?  Not having it could be affecting you as the LB decision only gets made once per TCP connection without oneconnect.
Try the iRule below as well as assign the profile to the virtual and enabling oneconnect and hopefully you'll be able to see it working - at least it should be easier to see what is happening.
when HTTP_REQUEST {
    set debug 1
    if {$debug} { 
         per request identifier
        set prefix "$$[expr {int (rand() * 10000)}]$$ "
        log local0. "${prefix}URI = [HTTP::uri], cookies [HTTP::cookie names]"
    }
    if {[HTTP::uri] contains "sso-a" || (other stuff) } {
        if {$debug} {log local0. "${prefix}Selecting member 10.110.3.11"}
        pool ap-tcsso.infarmbureau.com_https_pool member 10.110.3.11
    else if {[HTTP::uri] contains "sso-b" || (other stuff) } {
        if {$debug} {log local0. "${prefix}Selecting member 10.110.3.12"}
        pool ap-tcsso.infarmbureau.com_https_pool member 10.110.3.12
     }

}
when LB_SELECTED {
    if {$debug} {log local0. "${prefix}pool [LB::server pool] member [LB::server addr]:[LB::server port]"}
}
when HTTP_RESPONSE {
     This is where you should see the cookies being returned to the client
    if {$debug} {log local0. "${prefix}Set-Cookie [HTTP::header Set-Cookie]"}
}

steve_knapp · Answer

Thanks. That was very helpful. There was already a cookie persistence set on the virtual but I think it was the oneconnect profile that did the trick. Also, very slick the random number prefix - makes sifting through the logs much easier. VERY much appreciated!

Forum Discussion

cookie persistence not working in iRule

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

F5OS login with admin/root failed via console

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

UCS Encryption Question

Unblock Request WAF

Related Content

How OneConnect Profile works with Cookie Persistence

Decoding the IPv4 address from the persistence cookie

F5 XC – Persistence and Resiliency pt. I (persistence)

Persistence Cookie Logger

Persistence Cookie Logging

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS