HTTP/HTTPS Asymmetric-Routing iRule

Does this help? Sounds like nPath (aka direct server return) http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html

OK I just saw "asymmetric traffic-flow" without reading much further.

I don't really understand what you are trying to do, however in general an HTTP request header insertion is a good way to signal to downstream VIPs or HTTP devices.

Hi,

two ideas come to my mind:

1) is it feasible to use cookies for session persistence, as you just use http?

2) basically you can create and insert a custom http header with an iRule. You could insert the client IP or a random number with "HTTP::header insert " and write it into the header with: [HTTP::header

cheers, wizz

Alright, let's go through your points:

1) you can insert http headers as long as the protocol is http, no matter if you use the standard tcp port 80 or anything else

2) if you use a custom http header field the web server should not modify it at all. maybe if you use something like the X-Forwarded-For header field it could be used and adapted by web servers for different reasons

3) Unfortunately I'm not the greatest programmer, but I can think about this. Maybe someone from the community could do his magic? :-)

4) do you perform SSL offloading on the BigIP? Otherwise it will be tricky. Depending on how much https traffic you are facing, you could balance all https traffic through one path (but I'm not sure if you can apply automatic failover in this case) or you could use session cookies. Of course if the client or browser do not support cookies this will not work either. Maybe for https session cookie with fallback to source IP can be applicable.

cheers, wizz

just wondering what http/https asymmetric routing means.

is it something like one user sending requests to both sites (e.g. request1/response1 goes to site1 but request2/response2 goes to site2)?

just wondering what http/https asymmetric routing means.

is it something like one user sending requests to both sites (e.g. request1/response1 goes to site1 but request2/response2 goes to site2)?

No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site.

i assume it is like syn is going to one site but syn/ack is going to another.

there are loose initiation and loose close in fastl4 profile.

The FastL4 profile determines how the system handles the connection table entries. Enabling the Loose Initiation option allows the system to initialize a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation.

The Loose Close option allows the system to remove a connection when the system receives the first FIN packet from either the client or the server.

sol7595: Overview of IP forwarding virtual servers

anyway, i am thinking how we can differentiate between the first correct-site request and the wrong-site request? after receiving the wrong-site request, bigip will add it into connection table as well. that means in connection table, it will contain both correct-site and wrong-site connections.

No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site.

i assume it is like syn is going to one site but syn/ack is going to another.

there are loose initiation and loose close in fastl4 profile.

The FastL4 profile determines how the system handles the connection table entries. Enabling the Loose Initiation option allows the system to initialize a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation.

The Loose Close option allows the system to remove a connection when the system receives the first FIN packet from either the client or the server.

sol7595: Overview of IP forwarding virtual servers

anyway, i am thinking how we can differentiate between the first correct-site request and the wrong-site request? after receiving the wrong-site request, bigip will add it into connection table as well. that means in connection table, it will contain both correct-site and wrong-site connections.

But why this new VS covers some established connections and how can we eliminate this.

i understand it creates entry in connection table unless we set immediately idle timeout. in that case, we need 2 virtual servers; one handles request and the other one handles reply.

What if we apply two iRules; one in the forwarding_VS (internal) and other on the new Perf_VS with FastL4 profile (External). I didn't get your point in your last post; but mostly the traffic subject to Asyemmetric routing is the reply traffic (Internet to LTM).

iRule1 (internal)

when CLIENT_ACCEPTED { set Bypass 1 log local0. “EST_CON IP: [IP::client_addr] TCP: [TCP::client_port]” }

iRule2 (external)

when CLIENT_ACCEPTED { if {$Bypass == 1} { return } elseif { switch -glob [TCP::local_port] { "80" - "443" - "8080" {pool AR-GW log local0. “AR_CON IP: [IP::client_addr] TCP: [TCP::client_port]” } } } else { drop log local0. “DR_CON IP: [IP::client_addr] TCP: [TCP::client_port]” }

}

Thnx, Aziz