Forum Discussion
NimbostratusHow to remove session persistency from an IRule
EmployeeDevCentral has a mode for specifically adding code and configuration in a cleanly formatted box. It is done by putting ~~~ on a line by itself, followed by the code/config, followed by ~~~ again, also on a line by itself. Formatting code and configuration this way makes it much easier to read those entities. I strongly recommend doing this in the future. For reference, I provide your configuration formatted in this fashion here (I also inserted some whitespace to make things a bit more legible):
ltm virtual /Common/sso.fake.xyz_ssl {
destination /Common/xxx.xx.xx.yyy:443
ip-protocol tcp
mask 255.255.255.255
pool /Common/oam_server_80
profiles {
/Common/http { }
/Common/sso.fake.xyz_ssl { context clientside }
/Common/tcp { }
}
rules {
/Common/oaam_server
}
snatpool /Common/FakeCompany_Web_SNAT
vlans { /Common/LB_FW_VLAN_3227 }
vlans-enabled
}
ltm pool /Common/oam_server_80 {
members {
/Common/111.22.3346:80 { address 111.22.3346 }
/Common/111.22.3348:80 { address 111.22.3348 }
}
monitor /Common/tcp
}
ltm profile client-ssl /Common/sso.fake.xyz_ssl {
alert-timeout 60
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert /Common/199104280-sso.fake.xyz.crt
chain none
ciphers DEFAULT
defaults-from /Common/clientssl
handshake-timeout 60
key /Common/199104280-sso.fake.xyz.key
mod-ssl-methods disabled
options { dont-insert-empty-fragments }
proxy-ssl disabled
renegotiate-max-record-delay 10
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
sni-default false
sni-require false
strict-resume disabled
unclean-shutdown enabled
}
ltm pool /Common/oaam_server_80 {
members {
/Common/111.22.3350:80 { address 111.22.3350 }
/Common/111.22.3351:80 { address 111.22.3351 }
}
monitor /Common/http
}
ltm rule /Common/oaam_server {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/oaam_server" } {
persist none
pool oaam_server_80
}
}
}
Alright. Having done that, a point of clarification is useful. Persistence, in LTM, relates to the load-balancing selection within a pool, not across pools. In any case, it does not appear that you have added a persistence profile to the Virtual Server object, so the persist none will have no effect (it is used to disable the configured persistence before a load-balancing decision is made, and in this case, no persistence is applied, so there is nothing to "disable").
When you say the user-agent performs "two transactions", do you mean within a single TCP connection (which means HTTP-Keepalive is active) or across TCP connections? If it is the former, that explains what you are seeing. With your current configuration, each flow is being load-balanced, not each message within the flow, even though HTTP_REQEUST fires on each message. Calling pool, however, will force a new load-balancing decision each time it is called.
If this is in fact the issue, there are serveral ways to tackle this. One method is to add the OneConnect profile to the HTTP Virtual Server. This will cause HTTP to essentially switch to message-based load-balancing (with load aggregation on the server-side). If you don't mind message multiplexing on the server-side, then this is the easiest way to solve the problem. The second method is to explicitly invoke the pool for all conditions. As I mentioned above, invoking pool forces an explicit detach and reload-balance. The third method is to disable HTTP Keepalives on the client side. When this is done, each message will be in a separate TCP connection, so each message will be independently load-balanced. Here is code for each of the latter two solutions:
Option 2:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/oaam_server" } {
pool oaam_pool
}
else {
pool oam_pool
}
}
Option 3:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/oaam_server" } {
pool oaam_pool
}
}
when HTTP_RESPONSE {
HTTP::close
}
And the CLI required for the first:
tmsh modify ltm virtual /Common/sso.fake.xyz_ssl profiles add { oneconnect {} }
