iRule not applied immediately

Hi Ahmad,

 

 

As far as I'm aware, changes to an iRule should be initialised immediately even for existing connections. How are you modifying the iRule? How long after you update the iRule do you see the old version being logged? Which LTM version are you testing with?

 

 

Aaron

Aaron, that is not correct: existing connections will not have their existing iRules changed.

 

 

Ahmad, if you are editing the bigip.conf file by hand, you'll need to do a "b load" for the new iRules to take effect. If that isn't the problem, and you're talking about existing connections, then, as I said above, there is no way to make existing connections use the new iRule.

Hi Spark,

 

 

I remember seeing runtime TCL errors in response events for variables not existing, when adding a new iRule. If I remember correctly the variable should have been set in the HTTP request event. So it seemed like the iRule was added mid-connection. Or maybe the new iRule was applied when a new serverside connection was established? Any ideas, or is my memory failing me?

 

 

Aaron

There have been a small number of CRs that could cause the wrong iRule to be executed in certain circumstances, so the scenario you describe is plausible. However, the intended behavior is for the same iRules to be executed over the life of a connection.

Thanx guys;

 

 

How are you modifying the iRule?

 

from F5 control panel Local Traffic ›› iRules : iRule List ›› Site_Redirect >> Update

 

 

How long after you update the iRule do you see the old version being logged?

 

i am not sure , but definitely more than 5 minutes ..

 

 

Which LTM version are you testing with?

 

BIG-IP 10.1.0 Build 3341.0 Final

 

 

Actually must of our users connect to F5 through a proxy, which means that the connection from the proxy IP is always up, i am not sure if this is the reason or not,

 

 

to double check I changed the iRule log version number today to "ver4" and asked one of my friends to initiate a connection using different proxy and i found that the updated iRule executed with ver4 on the log for his connection, while i am still getting the old "ver3" iRule when connected through the production proxy.

 

 

do you think that this is the reason ? how to enforce the iRule over the mid-connection of proxy ?

 

do you think that session persistence has anything to do with that ?

 

 

Yes, that does clearly seem to be the reason. I don't think persistence is involved. There is no way to make a new iRule take effect in the middle of a connection.

 

 

If your application is using HTTP, then you might be able to configure a maximum number of requests on the LTM such that it will close the connection from the proxy after (for example) 10 or 100 requests. This would allow the new iRule to take effect relatively quickly, with probably a negligible performance impact.

Another option would be to leave the request limit unset and only update the iRule during low traffic periods or a maintenance window. You could then use 'b conn' to clear the connections for the particular VIP to force all clients to re-establish a connection to the VIP and use the new version of the iRule. The downside to this is that you'd drop the connections, but the benefit is that you wouldn't need to restrict the re-use of connections from the proxy or other clients.

 

 

Aaron

I see similar behavior on 10.1 - "b load" works most of the time to correct this behavior (90% of the time). Also, I find updating iRules using the iRule editor works better than through the GUI and find it being applied immediately most of the time. There are occasions when I need to completely remove and re-add the iRule to the virtual server in order for the changes to take effect.

How do you generate a new connection then?

 

Is there a good workflow to deal with iRule development?