Forum Discussion

Rein_Tollevik's avatar
Rein_Tollevik
Icon for Nimbostratus rankNimbostratus
Apr 04, 2018

Enabling ASM in LTM policies causes policy and irule events to be evaluated twice

We are using LTM policies to route traffic to the correct pool based on the Host: header and URL in the request. The policy action also modifies headers in the request, including the Host: header itself, and assigns an ASM policy to the request.

 

The assignment of ASM policy appear to trigger a second evaluation of the LTM policy, as the matching of the Host: header must include the new value assigned to the request for the ASM policy assignment to take place. This appear to also trigger (at least) the HTTP_REQUEST iRule event to be fired twice.

 

Apart from the vaste of cpu cycles that must be the result of the duplicated evaluation, it is annoying that the effects taken by the LTM policy and iRule are duplicated. We use the iRule to log the request, and are seeing a lot of duplicated log entries.

 

Is this a known issue? The system is running version 12.1.2 HF2. The virtual server also have an APM profile attached, and the standard oneconnect profile, although I don't know if that matters.

 

  • Hello Rein,

     

    just so there is no confusion, can you please trigged your logs in the following event: HTTP_REQUEST_RELEASE instead HTTP_REQUEST.

     

    I just want to make sure that the query is only processed once by F5 and that it is not just a mismatch in terms of capture.

     

    Regards

     

  • I guess the issue is caused by APM and not ASM with LTM Policies.

     

    Did you configure APM with clientless mode?

     

    when working with clientless mode, first packet matches LTM policies, then HTTP_REQUEST, then ACCESS_SESSION_STARTED. when session is allowed, the request is retried (like HTTP::retry), so it evaluate again LTM policies, then HTTP_REQUEST

     

  • Hello,

    Is it possible to use LTM policy for load balancing as well? Since you already using the LTM policies for assigning the ASM plicies, so it would be better to use LTM poliy for load balancing as well to avoid any confusion.

    Also, it is always better to avoid using irules if you will be able to do the same function with any other LTM objects (as ltm policy) because irules will have more processing than ltm policy.

    As JRahm mentioned in the below link:

    "Of course, iRules still provide greater flexibility, but as long as the needs are met in a policy, that should be the first choice."

    https://community.f5.com/t5/technical-articles/verifying-local-traffic-policy-and-irule-precedence/ta-p/278886

    Thanks,