Hello All, Appreciate your help on the requirement ,, Two sites with HTTP, HTTPS, and alt-HTTP proxying-services (StateFul flow) might have asymmetric traffic-flow which will break the established sessions. I think of building two iRules (Internal & External) which will do the following: Internal iRule: set some flag on the sessions initiated by the proxy-server; i.e tag "Local-Site". External iRule: Check the manipulated-flag, if the tag is matching "Remote-Site", forward the traffic to a specific gateway_pool. If the above logic and iRule works, I would like to know: which flag can be used to fulfill the requirement, and whether changing this flag would cause any issue from the application layer perspective. any expected performance-degradation by applying this simple iRule on +60Gbps traffic-volume. (LTM v11) Thanks & BR, Aziz

Does this help? Sounds like nPath (aka direct server return) http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html

Thanks for your response ,, I don't think it would work, as per my quick reading and understanding, the nPath solution is to bypass servers responses from getting back to the BIG-IP. I have Internet-Proxies behind my LTMs in both sites to serve the customers transparently, and each proxy will use the same customer IP to reach Internet. I was thinking if there is any method we can manipulate on http headers for example (of course not applicable for HTTPS) as most of the services configured on the LTMs are HTTP or alt-HTTP; i.e 80, 8000, 8008, 8080, etc. If we can manipulate http header by someway to stamp the packet with a specific value "Site-ID", and make sure this stamp/mark will not be overridden by any web server in the Internet, I believe this will do the job. Thanks & BR, Aziz

OK I just saw "asymmetric traffic-flow" without reading much further. I don't really understand what you are trying to do, however in general an HTTP request header insertion is a good way to signal to downstream VIPs or HTTP devices.

Hi, two ideas come to my mind: 1) is it feasible to use cookies for session persistence, as you just use http? 2) basically you can create and insert a custom http header with an iRule. You could insert the client IP or a random number with "HTTP::header insert " and write it into the header with: [HTTP::header cheers, wizz

Thank you all for your inputs ,, really valuable ,, So, couple of things I would like to confirm: - Would "HTTP::header insertion" method be applicable for HTTP and alt-HTTP services; i.e 80, 8080, 8000, etc. - Whether this HTTP insertion would be overridden by any web server ? or it will be there for the whole session. - Provide an iRule example; one to insert a random number, and the other to match that random number. - Is there any other idea that would be applicable for HTTPS ? personally I don't think so. Thanks & BR, Aziz

HTTP/HTTPS Asymmetric-Routing iRule

nitass
Employee
Apr 20, 2014
if you have evidence showing symmetric's return traffic (not internet initiated traffic) does not match existing connection in connection table, i think you can open a support case.

nitass

Employee

Apr 20, 2014

this is my testing.

 internal virtual server

[root@ve11a:Active:In Sync] config  tmsh list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 3
}
[root@ve11a:Active:In Sync] config  tmsh list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    defaults-from fastL4
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

 external virtual server (i do not have proxy server, so i just use ip-forward type)

[root@ve11a:Active:In Sync] config  tmsh list ltm virtual asym
ltm virtual asym {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_immediate-timeout { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 12
}
[root@ve11a:Active:In Sync] config  tmsh list ltm profile fastl4 fastl4_immediate-timeout
ltm profile fastl4 fastl4_immediate-timeout {
    app-service none
    idle-timeout immediate
    loose-close enabled
    loose-initialization enabled
}

 trace (internal initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between internal and bigip) and (2) is serverside (between bigip and external)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown in the trace. it is not shown on clientside's syn packet because it has not been processed by the virtual server.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:16:24.386398 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  in slot1/tmm0 lis=
(2) 00:16:24.389269 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  out slot1/tmm0 lis=/Common/fwd
(3) 00:16:24.391033 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  in slot1/tmm0 lis=/Common/fwd
(4) 00:16:24.391046 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:16:24.392630 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:16:24.392641 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

 connection table

[root@ve11a:Active:In Sync] config  tmsh show sys connection cs-client-addr 200.200.200.101 all-properties
Sys::Connections
200.200.200.101:52300 - 172.28.24.1:80 - 200.200.200.101:52300 - 172.28.24.1:80
-------------------------------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      tcp
  Idle Time     6
  Idle Timeout  300
  Unit ID       1
  Lasthop       /Common/internal 00:50:56:b3:01:0b
  Virtual Path  172.28.24.1:80
  Conn Id 0

                          ClientSide             ServerSide
  Client Addr  200.200.200.101:52300  200.200.200.101:52300
  Server Addr         172.28.24.1:80         172.28.24.1:80
  Bits In                       1.4K                    960
  Bits Out                       960                   1.4K
  Packets In                       3                      2
  Packets Out                      2                      3

Total records returned: 1

 trace (external initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between external and bigip) and (2) is serverside (between bigip and internal)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown on clientside's syn/ack packet because external virtual server does not create connection in connection table. so, syn/ack packet is handled by internal virtual server.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:23:18.010820 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  in slot1/tmm0 lis=
(2) 00:23:18.012582 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  out slot1/tmm0 lis=/Common/asym
(3) 00:23:18.040222 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  in slot1/tmm0 lis=
(4) 00:23:18.040305 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:23:18.041754 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:23:18.041770 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

 connection table (no connection because idle timeout is immediate)

[root@ve11a:Active:In Sync] config  tmsh show sys connection cs-client-addr 172.28.24.1 all-properties
Sys::Connections
Total records returned: 0

Gbps_31870
Nimbostratus
Apr 20, 2014
Thanks nitass for your reply ,, appreciated ,, I will try it later and will get back with the results ,, BR, Aziz

nitass_89166

Noctilucent

Apr 20, 2014

this is my testing.

 internal virtual server

[root@ve11a:Active:In Sync] config  tmsh list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 3
}
[root@ve11a:Active:In Sync] config  tmsh list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    defaults-from fastL4
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

 external virtual server (i do not have proxy server, so i just use ip-forward type)

[root@ve11a:Active:In Sync] config  tmsh list ltm virtual asym
ltm virtual asym {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_immediate-timeout { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 12
}
[root@ve11a:Active:In Sync] config  tmsh list ltm profile fastl4 fastl4_immediate-timeout
ltm profile fastl4 fastl4_immediate-timeout {
    app-service none
    idle-timeout immediate
    loose-close enabled
    loose-initialization enabled
}

 trace (internal initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between internal and bigip) and (2) is serverside (between bigip and external)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown in the trace. it is not shown on clientside's syn packet because it has not been processed by the virtual server.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:16:24.386398 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  in slot1/tmm0 lis=
(2) 00:16:24.389269 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  out slot1/tmm0 lis=/Common/fwd
(3) 00:16:24.391033 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  in slot1/tmm0 lis=/Common/fwd
(4) 00:16:24.391046 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:16:24.392630 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:16:24.392641 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

 connection table

[root@ve11a:Active:In Sync] config  tmsh show sys connection cs-client-addr 200.200.200.101 all-properties
Sys::Connections
200.200.200.101:52300 - 172.28.24.1:80 - 200.200.200.101:52300 - 172.28.24.1:80
-------------------------------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      tcp
  Idle Time     6
  Idle Timeout  300
  Unit ID       1
  Lasthop       /Common/internal 00:50:56:b3:01:0b
  Virtual Path  172.28.24.1:80
  Conn Id 0

                          ClientSide             ServerSide
  Client Addr  200.200.200.101:52300  200.200.200.101:52300
  Server Addr         172.28.24.1:80         172.28.24.1:80
  Bits In                       1.4K                    960
  Bits Out                       960                   1.4K
  Packets In                       3                      2
  Packets Out                      2                      3

Total records returned: 1

 trace (external initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between external and bigip) and (2) is serverside (between bigip and internal)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown on clientside's syn/ack packet because external virtual server does not create connection in connection table. so, syn/ack packet is handled by internal virtual server.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:23:18.010820 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  in slot1/tmm0 lis=
(2) 00:23:18.012582 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  out slot1/tmm0 lis=/Common/asym
(3) 00:23:18.040222 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  in slot1/tmm0 lis=
(4) 00:23:18.040305 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:23:18.041754 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:23:18.041770 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

 connection table (no connection because idle timeout is immediate)

[root@ve11a:Active:In Sync] config  tmsh show sys connection cs-client-addr 172.28.24.1 all-properties
Sys::Connections
Total records returned: 0

Gbps_31870
Nimbostratus
Apr 20, 2014
Thanks nitass for your reply ,, appreciated ,, I will try it later and will get back with the results ,, BR, Aziz

Forum Discussion

HTTP/HTTPS Asymmetric-Routing iRule

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Asymmetric routing after software-update not working anymore

Http redirection

HTTP and HTTPS from same VS

HTTPS

http to https redirect irule with an exception

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS