Forum Discussion
NimbostratusHow to remove session persistency from an IRule
Here is scrubbed F5 rules.
We have two pools for destination xxx.xx.xx.yyy:443:
oam_server_80 and oaam_server_80.
By default, all traffic, ie. /oam goes to the pool oam_server_80 and only /oaam_server goes to the pool oaam_server_80.
What we observe using the same browser client with two transactions. 1. start with uri /oam 2. start with uri /oaam _server It works as designed.
What we observe using the same browser client with two transactions.1. start with uri /oaam_server2. starts with uri /oamFor the 2nd request, /oam always go to pool /oaaM_server.80.
Any suggestion
ltm virtual /Common/sso.fake.xyz_ssl { destination /Common/xxx.xx.xx.yyy:443 ip-protocol tcp mask 255.255.255.255 pool /Common/oam_server_80 profiles { /Common/http { } /Common/sso.fake.xyz_ssl { context clientside } /Common/tcp { } } rules { /Common/oaam_server } snatpool /Common/FakeCompany_Web_SNAT vlans { /Common/LB_FW_VLAN_3227 } vlans-enabled }
ltm pool /Common/oam_server_80 { members { /Common/111.22.3346:80 { address 111.22.3346 } /Common/111.22.3348:80 { address 111.22.3348 } } monitor /Common/tcp }
ltm profile client-ssl /Common/sso.fake.xyz_ssl { alert-timeout 60 allow-non-ssl disabled app-service none cache-size 262144 cache-timeout 3600 cert /Common/199104280-sso.fake.xyz.crt chain none ciphers DEFAULT defaults-from /Common/clientssl handshake-timeout 60 key /Common/199104280-sso.fake.xyz.key mod-ssl-methods disabled options { dont-insert-empty-fragments } proxy-ssl disabled renegotiate-max-record-delay 10 renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require server-name none sni-default false sni-require false strict-resume disabled unclean-shutdown enabled }
ltm rule /Common/oaam_server { oaam_server
Creation Date:12/03/2015 D. URL sso.fake.xyz/oaam_server redirects to pool oaam_server_80
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/oaam_server" } {pool oaam_server_80 }} }
ltm pool /Common/oaam_server_80 { members { /Common/111.22.3350:80 { address 111.22.3350 } /Common/111.22.3351:80 { address 111.22.3351 } } monitor /Common/http
3 Replies
robert_yu_16_24ltm rule /Common/oaam_server { oaam_server
Creation Date:12/03/2015 D. URL sso.fake.xyz/oaam_server redirects to pool oaam_server_80when HTTP_REQUEST { if { [HTTP::uri] starts_with "/oaam_server" } { persist none pool oaam_server_80 }}
We make this change, disable then re-enable the front end VIP. but still not working.
VernonWellsEmployee
DevCentral has a mode for specifically adding code and configuration in a cleanly formatted box. It is done by putting ~~~ on a line by itself, followed by the code/config, followed by ~~~ again, also on a line by itself. Formatting code and configuration this way makes it much easier to read those entities. I strongly recommend doing this in the future. For reference, I provide your configuration formatted in this fashion here (I also inserted some whitespace to make things a bit more legible):
ltm virtual /Common/sso.fake.xyz_ssl { destination /Common/xxx.xx.xx.yyy:443 ip-protocol tcp mask 255.255.255.255 pool /Common/oam_server_80 profiles { /Common/http { } /Common/sso.fake.xyz_ssl { context clientside } /Common/tcp { } } rules { /Common/oaam_server } snatpool /Common/FakeCompany_Web_SNAT vlans { /Common/LB_FW_VLAN_3227 } vlans-enabled } ltm pool /Common/oam_server_80 { members { /Common/111.22.3346:80 { address 111.22.3346 } /Common/111.22.3348:80 { address 111.22.3348 } } monitor /Common/tcp } ltm profile client-ssl /Common/sso.fake.xyz_ssl { alert-timeout 60 allow-non-ssl disabled app-service none cache-size 262144 cache-timeout 3600 cert /Common/199104280-sso.fake.xyz.crt chain none ciphers DEFAULT defaults-from /Common/clientssl handshake-timeout 60 key /Common/199104280-sso.fake.xyz.key mod-ssl-methods disabled options { dont-insert-empty-fragments } proxy-ssl disabled renegotiate-max-record-delay 10 renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require server-name none sni-default false sni-require false strict-resume disabled unclean-shutdown enabled } ltm pool /Common/oaam_server_80 { members { /Common/111.22.3350:80 { address 111.22.3350 } /Common/111.22.3351:80 { address 111.22.3351 } } monitor /Common/http } ltm rule /Common/oaam_server { when HTTP_REQUEST { if { [HTTP::uri] starts_with "/oaam_server" } { persist none pool oaam_server_80 } } }Alright. Having done that, a point of clarification is useful. Persistence, in LTM, relates to the load-balancing selection within a pool, not across pools. In any case, it does not appear that you have added a persistence profile to the Virtual Server object, so the persist none will have no effect (it is used to disable the configured persistence before a load-balancing decision is made, and in this case, no persistence is applied, so there is nothing to "disable").
When you say the user-agent performs "two transactions", do you mean within a single TCP connection (which means HTTP-Keepalive is active) or across TCP connections? If it is the former, that explains what you are seeing. With your current configuration, each flow is being load-balanced, not each message within the flow, even though HTTP_REQEUST fires on each message. Calling pool, however, will force a new load-balancing decision each time it is called.
If this is in fact the issue, there are serveral ways to tackle this. One method is to add the OneConnect profile to the HTTP Virtual Server. This will cause HTTP to essentially switch to message-based load-balancing (with load aggregation on the server-side). If you don't mind message multiplexing on the server-side, then this is the easiest way to solve the problem. The second method is to explicitly invoke the pool for all conditions. As I mentioned above, invoking pool forces an explicit detach and reload-balance. The third method is to disable HTTP Keepalives on the client side. When this is done, each message will be in a separate TCP connection, so each message will be independently load-balanced. Here is code for each of the latter two solutions:
Option 2:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/oaam_server" } { pool oaam_pool } else { pool oam_pool } }Option 3:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/oaam_server" } { pool oaam_pool } } when HTTP_RESPONSE { HTTP::close }And the CLI required for the first:
tmsh modify ltm virtual /Common/sso.fake.xyz_ssl profiles add { oneconnect {} }- VernonWells
Oh, and I see now that in my code snippets, I didn't get the pool names quite right, but hopefully you follow, nonetheless :).
