Got a proposal from one of our devs this AM, who wants to set up the following scenario on an LTM. He proposes a group of clients, all trying almost constantly to connect with a VIP. The VIP allows only one connection to be established at a time, holding it until a client closes the connection or 30sec, whichever comes first. There's no data being sent over this connection, it's essentially being used as a token or signal flag (all the clients that can't get a connection freeze a parallel-processed internal task of some kind until they do make one). He sees this as the fastest way for the parallel process to communicate. Seems fairly straightforward with Connection Limiting and a single box in a pool for the connections to go to. My question is whether there's any way for the LTM itself to hold that connection open for 30sec or until closed by the client, without requiring a server on the other side. I saw an old thread here about using OneConnect, but I don't think that's quite what I'm looking for. Or is it?

Hi Vince, That's an interesting scenerio. Have you looked at throttling http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPRequestThrottle.html http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_throttle_alternative.html http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=11484 I think from here you could Frankenstein together an iRule that will work for you. I hope this helps Bhattman

Thanks for the response - didn't think any kind of iRule fancy-dancing would be required just to allow a single connection at a time (or maybe the 30sec timeout is what raises that bar?). I'm just trying to find out if there's a way to do this solely on the LTM, with no server for the connection to actually go to.

Hi Vince, I think the part which will be difficult is the 30 second to kill a connection w/o using an iRule. Bhattman

Fair 'nuff. But what about the no-server part? Anyone?

The vip has a setting which allows you to enter the amount of connection allowed. Default is 0 which means no limit on connection. You can set that to 1 and that is pretty much the only connection it will at a time. Thanks Bhattman

Hold Connection / No Pool

The_Bhattman
Nimbostratus
Feb 18, 2010
Hi Vince,

That's an interesting scenerio.

Have you looked at throttling

http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPRequestThrottle.html

http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_throttle_alternative.html

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=11484

I think from here you could Frankenstein together an iRule that will work for you.

I hope this helps

Bhattman
Vince_Beltz_959
Nimbostratus
Feb 18, 2010
Thanks for the response - didn't think any kind of iRule fancy-dancing would be required just to allow a single connection at a time (or maybe the 30sec timeout is what raises that bar?). I'm just trying to find out if there's a way to do this solely on the LTM, with no server for the connection to actually go to.
The_Bhattman
Nimbostratus
Feb 18, 2010
Hi Vince,

I think the part which will be difficult is the 30 second to kill a connection w/o using an iRule.

Bhattman
Vince_Beltz_959
Nimbostratus
Feb 18, 2010
Fair 'nuff. But what about the no-server part? Anyone?
The_Bhattman
Nimbostratus
Feb 18, 2010
The vip has a setting which allows you to enter the amount of connection allowed. Default is 0 which means no limit on connection. You can set that to 1 and that is pretty much the only connection it will at a time.

Thanks

Bhattman
hoolio
Cirrostratus
Feb 19, 2010
I don't think there is a practical way to queue connections on LTM whether it's with an iRule or not. See this post for details from Colin and Spark:

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=2149321872

Aaron
Vince_Beltz_959
Nimbostratus
Feb 19, 2010
We aren't looking to set up a queue, just a mob of clients all jostling for that one available connection. As soon as it's released, they all compete for it again. No load balance or prioritizing, just the one that gets lucky and gets a TCP connection for a maximum of 30sec. Experimenting now with simply setting up a tcp profile that has a 30sec idle timeout.
L4L7_53191
Nimbostratus
Feb 19, 2010
Another option is to use the table command, available in 10.1. I don't know what version you're using, but this particular use case seems to be pretty well suited for it.

But even then a rule may not be required (I'm not 100% clear on the use case here, so I could be wrong). Regarding the no-server bit, that's not an issue assuming you're in full proxy mode. The VIP will establish the handshake, and fire CLIENT_ACCPTED. As long as they don't send any data to us, we'll hold that connection open and it'll be subject to our tcp profile timeout. You may well be able to achieve this design simply with the idle timeout of 30 on a custom tcp profile and a connection limit of 1 set on the virtual server.

Please post back the results. Also, I'd love to hear more about the overall architecture if you're willing to share.

-Matt
hoolio
Cirrostratus
Feb 21, 2010
Of if either the client or server do send data, you could use the after command called from CLIENT_ACCEPTED and kill the client connection after 30 seconds.

Aaron
Vince_Beltz_959
Nimbostratus
Mar 17, 2010
Anyone still reading this?

I set up a test VIP with the connection limited to one, and the dev who made the original request just got around to testing. Watching connections via Wireshark, it appears that the LTM is sending a RST almost immediately after finishing the three-way handshake, presumably because there's no pool behind the VIP. Any ideas on what we can do to prevent that?

10.00000010.110.192.15667.63.60.145TCP38346 > 65535 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

20.00188467.63.60.14510.110.192.156TCP65535 > 38346 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460

30.00192010.110.192.15667.63.60.145TCP38346 > 65535 [ACK] Seq=1 Ack=1 Win=65535 Len=0

40.00339467.63.60.14510.110.192.156TCP65535 > 38346 [RST, ACK] Seq=1 Ack=1 Win=4380 Len=0