Forum Discussion
Gbps_31870
Nimbostratus
NimbostratusHTTP/HTTPS Asymmetric-Routing iRule
Hello All,
Appreciate your help on the requirement ,,
Two sites with HTTP, HTTPS, and alt-HTTP proxying-services (StateFul flow) might have asymmetric traffic-flow which will break the esta...
nitass
Employee
Employeethis is my testing.
internal virtual server
[root@ve11a:Active:In Sync] config tmsh list ltm virtual fwd
ltm virtual fwd {
destination any:0
ip-forward
mask any
profiles {
fastl4_loose-init { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
internal
}
vlans-enabled
vs-index 3
}
[root@ve11a:Active:In Sync] config tmsh list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
app-service none
defaults-from fastL4
loose-close enabled
loose-initialization enabled
reset-on-timeout disabled
}
external virtual server (i do not have proxy server, so i just use ip-forward type)
[root@ve11a:Active:In Sync] config tmsh list ltm virtual asym
ltm virtual asym {
destination any:0
ip-forward
mask any
profiles {
fastl4_immediate-timeout { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
external
}
vlans-enabled
vs-index 12
}
[root@ve11a:Active:In Sync] config tmsh list ltm profile fastl4 fastl4_immediate-timeout
ltm profile fastl4 fastl4_immediate-timeout {
app-service none
idle-timeout immediate
loose-close enabled
loose-initialization enabled
}
trace (internal initiated traffic)
internal device ip is 200.200.200.101
external device ip is 172.28.24.1
(1) and (2) are syn. (1) is clientside (between internal and bigip) and (2) is serverside (between bigip and external)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside
internal virtual server name (lis=/Common/fwd) is shown in the trace. it is not shown on clientside's syn packet because it has not been processed by the virtual server.
[root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:16:24.386398 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840 in slot1/tmm0 lis=
(2) 00:16:24.389269 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840 out slot1/tmm0 lis=/Common/fwd
(3) 00:16:24.391033 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792 in slot1/tmm0 lis=/Common/fwd
(4) 00:16:24.391046 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792 out slot1/tmm0 lis=/Common/fwd
(5) 00:16:24.392630 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46 in slot1/tmm0 lis=/Common/fwd
(6) 00:16:24.392641 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46 out slot1/tmm0 lis=/Common/fwd
connection table
[root@ve11a:Active:In Sync] config tmsh show sys connection cs-client-addr 200.200.200.101 all-properties
Sys::Connections
200.200.200.101:52300 - 172.28.24.1:80 - 200.200.200.101:52300 - 172.28.24.1:80
-------------------------------------------------------------------------------
TMM 0
Type any
Acceleration none
Protocol tcp
Idle Time 6
Idle Timeout 300
Unit ID 1
Lasthop /Common/internal 00:50:56:b3:01:0b
Virtual Path 172.28.24.1:80
Conn Id 0
ClientSide ServerSide
Client Addr 200.200.200.101:52300 200.200.200.101:52300
Server Addr 172.28.24.1:80 172.28.24.1:80
Bits In 1.4K 960
Bits Out 960 1.4K
Packets In 3 2
Packets Out 2 3
Total records returned: 1
trace (external initiated traffic)
internal device ip is 200.200.200.101
external device ip is 172.28.24.1
(1) and (2) are syn. (1) is clientside (between external and bigip) and (2) is serverside (between bigip and internal)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside
internal virtual server name (lis=/Common/fwd) is shown on clientside's syn/ack packet because external virtual server does not create connection in connection table. so, syn/ack packet is handled by internal virtual server.
[root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:23:18.010820 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840 in slot1/tmm0 lis=
(2) 00:23:18.012582 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840 out slot1/tmm0 lis=/Common/asym
(3) 00:23:18.040222 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792 in slot1/tmm0 lis=
(4) 00:23:18.040305 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792 out slot1/tmm0 lis=/Common/fwd
(5) 00:23:18.041754 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46 in slot1/tmm0 lis=/Common/fwd
(6) 00:23:18.041770 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46 out slot1/tmm0 lis=/Common/fwd
connection table (no connection because idle timeout is immediate)
[root@ve11a:Active:In Sync] config tmsh show sys connection cs-client-addr 172.28.24.1 all-properties
Sys::Connections
Total records returned: 0
Gbps_31870Nimbostratus
NimbostratusThanks nitass for your reply ,, appreciated ,,
I will try it later and will get back with the results ,,
BR,
Aziz