For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lkchen's avatar
lkchen
Icon for Nimbostratus rankNimbostratus
Jan 16, 2014

iRule to direct specific IPs to specific members, not working as expected.

I have a 6400 LTM HA pair, running 10.2.4HF5. I have a oneconnect virtual server, ssl proxy, with both cookie and source_addr persistence to a pool with 12 members....as 6 different IPs, and two di...
application delivery
devops
iRules
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Jan 17, 2014

Agree with JPV - if you use cookie and source IP you are asking for trouble - the first request of an HTTP 'session' never has a cookie, so source IP will always be used!!

The problem is that your pool selection is being done in CLIENT_ACCEPTED, but oneconnect means that the pool is reset to the default each time HTTP_REQUEST is triggered, in addition, I think there is a slightly better way than your pool ISIS-Web_SSL member statements. I would use another pool for the webmethods traffic;

pool ISIS-Web_SSL_webmethod {
    lb method member observed
    snat disable
    monitor all https1.0
    members {
        10.10.10.108:5004 {priority 3}
        10.10.10.110:5004 {priority 1}
    }
}

and then your iRule would become;

when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals "TXHUB_IP"] } {                
        persist none
        pool ISIS-Web_SSL_webmethod
    }
}
  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Jan 17, 2014
    The separate pool is purely a "I would do it this way" thing - your rule is fine - it's only the event that is causing you an issue