Forum Discussion
elito_26780
Nimbostratus
NimbostratusGlocal persistency with cookie
I found a case study that shows how to implement global cookie persistency with GTM. Here it is: http://www.f5.com/solutions/success/pdfs/casestudy_irule.pdf
This is the suggested code to do the job:
when HTTP_REQUEST {
if { [HTTP::cookie exists "my_cookie"] {
HTTP::cookie decrypt "my_cookie" "iggus99!"
set vipid [lindex [HTTP::cookie my_cookie] 0]
set poolid [lindex [HTTP::cookie my_cookie] 1]
set serverid [lindex [HTTP::cookie my_cookie] 2]
set portid [lindex [HTTP::cookie my_cookie] 3]
if { [catch { use pool $poolid member $serverid $portid }] } {
log "$serverid:$portid not local, redirecting to https://$vipid/[HTTP::uri]/"
redirect to "https://$vipid/[HTTP::uri]/"
reject
return
}
else {
use pool $poolid member $serverid $portid
}
}
}
when HTTP_RESPONSE {
HTTP::cookie insert name my_cookie value [concat [virtual name] [LB::server]]
HTTP::cookie encrypt "my_cookie" "iggus99!"
}
What I miss here is a check whether the original VS is up. Otherwise I might sending the client to dead VS. How can I do it with iRules?
5 Replies
- JRahm
Admin
The rule was written to meet a requirement for clients who could not be persisted within the application (hardcoded 1minute refresh utilizing name only) The 3dns was configured to round robin, so client was redirected nearly every minute for data refresh, which caused real problems since the SLA on data sync on the backend was 5 minutes.
That aside, there is no assurance that the redirect will succeed. Also, what's missing above is that the vipid variable will be set with only a name, the class needs to be configured so that the vip IP can be extracted as a result of the supplied vip NAME. Otherwise, you'll end up with tcl errors. 
elito_26780Thanks!
Is there any way using iRules to determine Virtual Servers status in global setup? I believe it requires some integration with iQuery. Is there one?- JRahmwhen you say global setup are you indicating usage of GTM? GTM can be configured to monitor virtual server health via active monitors, via the iquery communication to an LTM, or both. I haven't done much with GTM in regards to iRules, but I do know the options here are limited because there really isn't a data path involved.
- elito_26780May be it's a wrong place to ask about GTM , but I'll appreciate your answer.
How GTMs are sharing information between each other? I thought via iQuery, but you mention that iQuery is used between GTM and LTM. - JRahmThis isn't the right forum, but since the thread has already been started...
GTM uses iQuery to communicate with other GTM devices, but iQuery is also used by GTM to get vip status (availability/traffic stats/etc) from LTM. GTM can use active monitors for non-F5 load balancers or hosts.
I just completed 4 months of GTM testing, so if you'd like to contact me offline please feel free. Since the documentation is a little sketchy on how to get all the pieces to work together, here is the process I use to build the foundation of a GTM environment:
Add all GTM/LTM systems (not the mgmt IP) in the GTM GUI
Global Traffic->Data Centers->Servers
Define sync group (change from the default) in the GTM GUI
System->General Properties->Global->General
Generate Certificates on all GTM/LTM
gencert -n $hostname.domain 1024
openssl req -new -key /config/ssl/ssl.key/$hostname.domain.key -x509 -out /config/ssl/ssl.crt/$hostname.domain.crt -days $days_til_desired_expiration
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:$COUNTRY
State or Province Name (full name) [Some-State]:$STATE
Locality Name (eg, city) []:$CITY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:$ORG
Organizational Unit Name (eg, section) []:$UNIT
Common Name (eg, YOUR name) []:$hostname.domain
Email Address []:
cp /config/ssl/ssl.key/$hostname.domain.key /config/httpd/conf/ssl.key/server.key
cp: overwrite `/config/httpd/conf/ssl.key/server.key'? y
cp /config/ssl/ssl.crt/$hostname.domain.crt /config/httpd/conf/ssl.crt/server.crt
cp: overwrite `/config/httpd/conf/ssl.crt/server.crt'? y
cp /config/ssl/ssl.crt/$hostname.domain.crt /config/big3d/client.crt
cp: overwrite `/config/big3d/client.crt'? y
cp /config/ssl/ssl.crt/$hostname.domain.crt /config/gtm/server.crt
cp: overwrite `/config/gtm/server.crt'? y
EXCHANGE CERTIFICATES
Do not use the management IP.
bigip_add $hostname.domain from each GTM to each LTM/GTM in the design
big3d_install $hostname.domain from initial GTM to each LTM in the design
gtm_add $hostname.domain from each additional GTM to the initial GTM
VERIFY COMMUNICATION
Run iqdump from each GTM to all other GTM units and all LTM units to make sure iQuery communication is successful. Do not use the management IP.
iqdump $hostname.domain
Global communication is complete at this point. Now all further configuration can be confined to 1 GTM in the sync group (except system specific configuration of course)
