Forum Discussion

Gbps_31870's avatar
Gbps_31870
Icon for Nimbostratus rankNimbostratus
Apr 15, 2014

HTTP/HTTPS Asymmetric-Routing iRule

Hello All,   Appreciate your help on the requirement ,,   Two sites with HTTP, HTTPS, and alt-HTTP proxying-services (StateFul flow) might have asymmetric traffic-flow which will break the esta...
application delivery
design
devops
iRules
LTM
virtualization
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Apr 17, 2014

No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site.

i assume it is like syn is going to one site but syn/ack is going to another.

there are loose initiation and loose close in fastl4 profile.

The FastL4 profile determines how the system handles the connection table entries. Enabling the Loose Initiation option allows the system to initialize a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation.

The Loose Close option allows the system to remove a connection when the system receives the first FIN packet from either the client or the server.

sol7595: Overview of IP forwarding virtual servers

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html

anyway, i am thinking how we can differentiate between the first correct-site request and the wrong-site request? after receiving the wrong-site request, bigip will add it into connection table as well. that means in connection table, it will contain both correct-site and wrong-site connections.

  • Gbps_31870's avatar
    Gbps_31870
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2014
    That's exactly what I'm looking for ,, initially i thought it's something straight forward using iRule but it's not. It's getting complicated as the new VS i have created (AR_VS:0.0.0.0:0) with both loose initiation/close enabled seems to cover some established sessions through the LTM; i.e with no asymmetric routing. For the point you raised that wrong connection will be moved to conn-table, i think it could be overcome if they persist with GW_Pool we are forwarding to ( still I'm not sure). But why this new VS covers some established connections and how can we eliminate this. LTM VSs as following: 0.0.0.0:80 ( external) 0.0.0.0:443 (external) 0.0.0.0:8080 (external) 0.0.0.0:0 (internal - forwarding) Note that most of the sessions covered by the new VS are part of the forwarding_VS on internal vlan. Thnx for help, Aziz
  • Gbps_31870's avatar
    Gbps_31870
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2014
    Would the fact that forwarding VS doesn't build/maintain any connection in conn-table the reason behind these hits on the iRule? If yes, I would replace it with Performance (L4) VS. Aziz