Forum Discussion
Vince_Beltz_959
Nimbostratus
NimbostratusHold Connection / No Pool
Got a proposal from one of our devs this AM, who wants to set up the following scenario on an LTM.
He proposes a group of clients, all trying almost constantly to connect with a VIP. The VIP allows only one connection to be established at a time, holding it until a client closes the connection or 30sec, whichever comes first. There's no data being sent over this connection, it's essentially being used as a token or signal flag (all the clients that can't get a connection freeze a parallel-processed internal task of some kind until they do make one). He sees this as the fastest way for the parallel process to communicate.
Seems fairly straightforward with Connection Limiting and a single box in a pool for the connections to go to. My question is whether there's any way for the LTM itself to hold that connection open for 30sec or until closed by the client, without requiring a server on the other side. I saw an old thread here about using OneConnect, but I don't think that's quite what I'm looking for. Or is it?
15 Replies
- The_BhattmanHi Vince,
That's an interesting scenerio.
Have you looked at throttling
http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPRequestThrottle.html
http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_throttle_alternative.html
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=11484
I think from here you could Frankenstein together an iRule that will work for you.
I hope this helps
Bhattman 
Vince_Beltz_959Thanks for the response - didn't think any kind of iRule fancy-dancing would be required just to allow a single connection at a time (or maybe the 30sec timeout is what raises that bar?). I'm just trying to find out if there's a way to do this solely on the LTM, with no server for the connection to actually go to.- The_BhattmanHi Vince,
I think the part which will be difficult is the 30 second to kill a connection w/o using an iRule.
Bhattman - Vince_Beltz_959Fair 'nuff. But what about the no-server part? Anyone?
- The_BhattmanThe vip has a setting which allows you to enter the amount of connection allowed. Default is 0 which means no limit on connection. You can set that to 1 and that is pretty much the only connection it will at a time.
Thanks
Bhattman 
hoolioCirrostratus
I don't think there is a practical way to queue connections on LTM whether it's with an iRule or not. See this post for details from Colin and Spark:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=2149321872
Aaron- Vince_Beltz_959We aren't looking to set up a queue, just a mob of clients all jostling for that one available connection. As soon as it's released, they all compete for it again. No load balance or prioritizing, just the one that gets lucky and gets a TCP connection for a maximum of 30sec. Experimenting now with simply setting up a tcp profile that has a 30sec idle timeout.
L4L7_53191Another option is to use the table command, available in 10.1. I don't know what version you're using, but this particular use case seems to be pretty well suited for it.
But even then a rule may not be required (I'm not 100% clear on the use case here, so I could be wrong). Regarding the no-server bit, that's not an issue assuming you're in full proxy mode. The VIP will establish the handshake, and fire CLIENT_ACCPTED. As long as they don't send any data to us, we'll hold that connection open and it'll be subject to our tcp profile timeout. You may well be able to achieve this design simply with the idle timeout of 30 on a custom tcp profile and a connection limit of 1 set on the virtual server.
Please post back the results. Also, I'd love to hear more about the overall architecture if you're willing to share.
-Matt- hoolioOf if either the client or server do send data, you could use the after command called from CLIENT_ACCEPTED and kill the client connection after 30 seconds.
Aaron - Vince_Beltz_959Anyone still reading this?
I set up a test VIP with the connection limited to one, and the dev who made the original request just got around to testing. Watching connections via Wireshark, it appears that the LTM is sending a RST almost immediately after finishing the three-way handshake, presumably because there's no pool behind the VIP. Any ideas on what we can do to prevent that?
10.00000010.110.192.15667.63.60.145TCP38346 > 65535 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
20.00188467.63.60.14510.110.192.156TCP65535 > 38346 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460
30.00192010.110.192.15667.63.60.145TCP38346 > 65535 [ACK] Seq=1 Ack=1 Win=65535 Len=0
40.00339467.63.60.14510.110.192.156TCP65535 > 38346 [RST, ACK] Seq=1 Ack=1 Win=4380 Len=0
