GTM LDNS Persistence Not Adequate

Question

Hi, 
&nbsp;  
&nbsp; we are using our GTM's to distribute users connections to a SSL RAS solution. We have it set to be Round Robin between the two datacentres where the RAS devices are located. We also have LDNS persistence enabled. When testing name resolution this seems to work fine and for the majority of users it's caused no problems. 
&nbsp;  
&nbsp; However, a few users have a problem and we believe it maybe due to their ISP's using some form of load balanced DNS. The user connects initially to site A, their PC is security checked and then authenticated. Then when they launch the full VPN tunnel the DNS resolves to site B (presumably because the ISP's DNS has load balanced to a diffeerent DNS server) and the VPN connection fails. 
&nbsp;  
&nbsp; Has anyone run into anything similar? Any suggestions for a way round this? 
&nbsp;  
&nbsp; Currently we've reverted to GA with all users hitting one datacentre but we'd really like to load balance across both sites as user numbers increase. 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Andy

jrahm · Answer

I had a situation where I addressed this a few years back.  Here's a cleaned up version of that effort:

when HTTP_REQUEST { 
  if { [HTTP::cookie exists "ssl_persist"] } { 
 if { [catch { pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3] }] } { 
 HTTP::redirect "https://[lindex [HTTP::cookie ssl_persist] 0]/[HTTP::uri]/" 
 } else { 
 pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3]  
  } 
 } 
 } 
 when HTTP_RESPONSE { 
     HTTP::cookie insert name ssl_persist value [concat [virtual name] [LB::server]] 
 }

Note that in the redirect line, the first element in the list is the virtual name, not the address, so if it is not the FQDN of your local virtual (not the GTM wideIP), then you'll need to provide some means to extract that.  This can be handled in a data class like this and then extracted with findclass:

class mySiteVips { 
   mySiteAVipName my.siteA.VipFQDN 
   mySiteBVipName my.siteB.VipFQDN 
 } 
  
 HTTP::redirect "https://[findclass [lindex [HTTP::cookie ssl_persist] 0] $::mySiteVips " "]/[HTTP::uri]/"

HTH... 🙂

andrew_deackes_ · Answer

Hi Citizen Elah, 
&nbsp;  
&nbsp; thanks for the advice, we may have to try that. However, for now I've changed this config so both datacentre IP's are in a pool and the pool uses Static-Persist. I've also amended the perist mask to /24 so that hopefully we'll get an even distribution of resolution across the two sites and DNS servers from the same subnet will get the same answer. 
&nbsp;  
&nbsp; If we still have problems I'll be giving your iRule a try! 
&nbsp;  
&nbsp; Cheers 
&nbsp;  
&nbsp; Andy

Forum Discussion

GTM LDNS Persistence Not Adequate

Recent Discussions

ASM Export JSON - size Limit ?

Can i apply ddos profile on virtual server using port range

I used the wrong email account when take Application Delivery Exam (101)

F5 iControl REST API - viewBy Parameter Issue in Analytics Report

'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

Related Content

GTM return LDNS IP to client

Setting up persistence in F5 XC

SOCKS5 SSL Persistence

Weblogic JSessionID Persistence

Decoding the IPv4 address from the persistence cookie

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS