HTTP connection limit + cookie insert from BigIP

Thinking over this again... when the client starts a session they should request a document. They shouldn't actually be making any subsequent requests until they get back the HTTP data from the first request, as that HTTP data is what contains references to images and other files. So as long as the rule sets the ClientID cookie in that first response and the client continues to present the session cookie for every request, the rule should work as expected, regardless of whether the client uses persistent TCP connections or pipelining over the same TCP connection.

Can you test with this version of the original rule which does not ignore subsequent requests over the same TCP connection? It has additional logging of the client port, the HTTP version and the Cookie header in requests. 9.2.x doesn't have the ability to access multiple values for the same cookie name. So logging the entire Cookie line will show when multiple instances of the same cookie are present in the request.

It might also be helpful to capture a binary formatted tcpdump if you encounter a failure. You can use syntax like the following to do so:

tcpdump -ni 0.0 -s0 -w/var/tmp/session.dmp host VIP_IP or host NODE_IP

If you have multiple nodes in the pool, add them to the end of the filter string with more 'or host NODE_IP' tokens.

Here's the rule with more debug logging. Make sure to clear your browser's cookies before testing. It may also be helpful to test with multiple browser types.

when RULE_INIT {
   set ::debug 1
   set ::total_active_clients 0
   set ::max_active_clients 15
   set ::tcp_conn_counter 0
   log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients"
}
when CLIENT_ACCEPTED {
incr ::tcp_conn_counter
}
when HTTP_REQUEST {
      
   if {$::debug}{ set uri [HTTP::uri]}
   ; test cookie presence
   if {[HTTP::cookie exists "ClientID"]} {
      set need_cookie 0
      set client_id [HTTP::cookie "ClientID"]
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port] (v[HTTP::version])\
     with cookie $client_id -> $uri, count: $::total_active_clients"}
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] |----------------------> [HTTP::header value Cookie]"}
  
   ; if cookie not present & connection limit not reached, set up client_id
   } else {
      if {$::total_active_clients < $::max_active_clients} {
         set need_cookie 1
         set client_id [format "%08d" [expr { int(100000000 * rand()) }]]
         incr ::total_active_clients
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
         (v[HTTP::version]) with no cookie, under connection limit -> $uri, count: $::total_active_clients"}
      ; otherwise redirect
      } else {
         if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
            (v[HTTP::version]) with no cookie over limit, redirected  -> $uri, count: $::total_active_clients"}
         HTTP::redirect "http://sorry.domain.com/"
         return
      }
   }
}
when HTTP_RESPONSE {
   ; insert cookie if needed
   if {$need_cookie == 1} {
      if {$::debug}{ log local0. "\[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
         (v[HTTP::version]) inserting cookie: $client_id"}
      HTTP::cookie insert name "ClientID" value $client_id
   }
}
when CLIENT_CLOSED {
   ; decrement current connection counter for this client_id
   if {$::total_active_clients > 0} {
      incr ::total_active_clients -1
      if {$::debug}{ log local0. "\[$::tcp_conn_counter\] client [IP::client_addr]:[TCP::client_port]\
     closing connection with cookie $client_id -> $uri, count: $::total_active_clients"}
  }
}

Hope this helps...

Aaron