Forum Discussion
NimbostratusiRule for site persistence
I have 2 active DC and while I have set up DNS persistence on the GTM by using topology load-balancing, I am trying to go a step further to cover the case where a browser may still be redirected to the “other” DC while in a session (e.g. a user is using 2 LDNS in different geo-location and a DNS refresh occurs while in session): - I insert a “location” cookie to keep track of the DC. If a DC receives an HTTP request for the other DC, I want the LTM to bounce the request back to the original DC so that the session stays up. I am fully aware that I will be "tromboning" the traffic but this is still better than breaking the session.
Here is the iRule I have: - My 2 sites are DC1 and DC2, the Virtual server’s IP in DC1 is 1.1.1.1 and in DC2 2.2.2.2
iRule: in DC1:
when HTTP_REQUEST {
set urihead [HTTP::host]
check the location first if wrong DC
set loc [HTTP::cookie "location"]
if { $loc == “DC2” } {
log local0. “DC2 cookie detected in DC1”
node 2.2.2.2 443
snat automap
}
}
when HTTP_RESPONSE {
sets the location cookie to local DC
if { $loc != “DC2” } {
HTTP::cookie insert name "location" value “DC1”
HTTP::cookie path "location" /
HTTP::cookie domain "location" $urihead
HTTP::cookie secure "location" enable
}
}
in DC2:
when HTTP_REQUEST {
set urihead [HTTP::host]
check the location first if wrong DC
set loc [HTTP::cookie "location"]
if { $loc == “DC1” } {
log local0. “DC1 cookie detected in DC2”
node 1.1.1.1 443
snat automap
}
}
when HTTP_RESPONSE {
sets the location cookie to local DC
if { $loc != “DC1” } {
HTTP::cookie insert name "location" value “DC2”
HTTP::cookie path "location" /
HTTP::cookie domain "location" $urihead
HTTP::cookie secure "location" enable
}
}
Here is the result: I open a SSL session in DC1, force then the browser to resolve to DC2 IP, the LTM in DC2 correctly acts upon the cookie location value being DC1 and sends traffic back to DC1 IP 1.1.1.1 but the connection is reset and there is apparently no load-balancing decision being made (just SYN,SYN-ACK,ACK between the LTM's self-ip in DC2 and 1.1.1.1). Am I totally off?
Thanks!
6 Replies
- Kevin_Stewart
Employee
Do you, by chance, have a server SSL profile applied to each VIP?
Fabrice_Bobes_2Hi Kevin, Yes I do have a SSL client profile associated with the VIP. Thanks
- Kevin_Stewart
No, a SERVER SSL profile. You're sending the traffic to an SSL-based IP, so you need an SSL server profile applied to the VIP. If you don't normally re-encrypt to the local pool members, then you'll need to apply a server SSL profile to the VIP and disable it via iRule for local traffic (going to the local app pool).
SSL::disable serverside - Kevin_Stewart
when HTTP_REQUEST { set urihead [HTTP::host] check the location first if wrong DC set loc [HTTP::cookie "location"] if { $loc == “DC2” } { log local0. “DC2 cookie detected in DC1” node 2.2.2.2 443 snat automap } else { SSL::disable serverside } } when HTTP_RESPONSE { sets the location cookie to local DC if { $loc != “DC2” } { HTTP::cookie insert name "location" value “DC1” HTTP::cookie path "location" / HTTP::cookie domain "location" $urihead HTTP::cookie secure "location" enable } } - Fabrice_Bobes_2
Hi Kevin,
Your answer makes a lot of sense, I feel bad now that I didn't think about it :-) I followed your suggestion and it just ... worked. This is awesome. Thanks a lot! Fabrice
- Kevin_StewartThanks Fabrice. The tip-off was the complete TCP 3-way handshake. Layer 4 was working, but the next layer (SSL) was failing.
