Forum Discussion
andrew_deackes_
Nimbostratus
NimbostratusGTM LDNS Persistence Not Adequate
Hi,
we are using our GTM's to distribute users connections to a SSL RAS solution. We have it set to be Round Robin between the two datacentres where the RAS devices are located. We also have LDNS persistence enabled. When testing name resolution this seems to work fine and for the majority of users it's caused no problems.
However, a few users have a problem and we believe it maybe due to their ISP's using some form of load balanced DNS. The user connects initially to site A, their PC is security checked and then authenticated. Then when they launch the full VPN tunnel the DNS resolves to site B (presumably because the ISP's DNS has load balanced to a diffeerent DNS server) and the VPN connection fails.
Has anyone run into anything similar? Any suggestions for a way round this?
Currently we've reverted to GA with all users hitting one datacentre but we'd really like to load balance across both sites as user numbers increase.
Thanks
Andy
2 Replies
- JRahm
Admin
I had a situation where I addressed this a few years back. Here's a cleaned up version of that effort:when HTTP_REQUEST { if { [HTTP::cookie exists "ssl_persist"] } { if { [catch { pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3] }] } { HTTP::redirect "https://[lindex [HTTP::cookie ssl_persist] 0]/[HTTP::uri]/" } else { pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3] } } } when HTTP_RESPONSE { HTTP::cookie insert name ssl_persist value [concat [virtual name] [LB::server]] }
Note that in the redirect line, the first element in the list is the virtual name, not the address, so if it is not the FQDN of your local virtual (not the GTM wideIP), then you'll need to provide some means to extract that. This can be handled in a data class like this and then extracted with findclass:class mySiteVips { mySiteAVipName my.siteA.VipFQDN mySiteBVipName my.siteB.VipFQDN } HTTP::redirect "https://[findclass [lindex [HTTP::cookie ssl_persist] 0] $::mySiteVips " "]/[HTTP::uri]/"
HTH... 🙂 
andrew_deackes_Hi Citizen Elah,
thanks for the advice, we may have to try that. However, for now I've changed this config so both datacentre IP's are in a pool and the pool uses Static-Persist. I've also amended the perist mask to /24 so that hopefully we'll get an even distribution of resolution across the two sites and DNS servers from the same subnet will get the same answer.
If we still have problems I'll be giving your iRule a try!
Cheers
Andy
