Forum Discussion

Nimbostratus

Apr 15, 2014

HTTP/HTTPS Asymmetric-Routing iRule

Hello All, Appreciate your help on the requirement ,, Two sites with HTTP, HTTPS, and alt-HTTP proxying-services (StateFul flow) might have asymmetric traffic-flow which will break the esta...

Employee

Apr 17, 2014

No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site.

i assume it is like syn is going to one site but syn/ack is going to another.

there are loose initiation and loose close in fastl4 profile.

The FastL4 profile determines how the system handles the connection table entries. Enabling the Loose Initiation option allows the system to initialize a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation.

The Loose Close option allows the system to remove a connection when the system receives the first FIN packet from either the client or the server.

sol7595: Overview of IP forwarding virtual servers

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html

anyway, i am thinking how we can differentiate between the first correct-site request and the wrong-site request? after receiving the wrong-site request, bigip will add it into connection table as well. that means in connection table, it will contain both correct-site and wrong-site connections.

Gbps_31870
Nimbostratus
Apr 17, 2014
That's exactly what I'm looking for ,, initially i thought it's something straight forward using iRule but it's not. It's getting complicated as the new VS i have created (AR_VS:0.0.0.0:0) with both loose initiation/close enabled seems to cover some established sessions through the LTM; i.e with no asymmetric routing. For the point you raised that wrong connection will be moved to conn-table, i think it could be overcome if they persist with GW_Pool we are forwarding to ( still I'm not sure). But why this new VS covers some established connections and how can we eliminate this. LTM VSs as following: 0.0.0.0:80 ( external) 0.0.0.0:443 (external) 0.0.0.0:8080 (external) 0.0.0.0:0 (internal - forwarding) Note that most of the sessions covered by the new VS are part of the forwarding_VS on internal vlan. Thnx for help, Aziz
Gbps_31870
Nimbostratus
Apr 17, 2014
Would the fact that forwarding VS doesn't build/maintain any connection in conn-table the reason behind these hits on the iRule? If yes, I would replace it with Performance (L4) VS. Aziz

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

HTTP/HTTPS Asymmetric-Routing iRule

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

GRPC through F5 Virtual Server [RST_STREAM with error code: INTERNAL_ERROR]

[ASM] - How to disable the SQL injection attack signatures

[ASM] : SQL-INJ "end-quote UNION" - How to allow this signature to specific url/uri/parameter only

Changes to DO and AS3 GitHub - no longer monitored

[ASM] : "Request length exceeds defined buffer size " - How to increase the limit ?

Related Content

F5 HTTPS Redirect 2025

The State Of HTTP/2 Full Proxy With F5 LTM

HTTP Multipart and Security Implications

HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)

iRule to take cookie from HTTP Response into HTTP Request via table

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS