For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Masui_185's avatar
Kevin_Masui_185
Icon for Nimbostratus rankNimbostratus
Feb 02, 2015

irule to persist after user logs in

is creating an irule the correct approach to persist on a server only after a website user has successfully logged in? Currently the VS is set to persist using the src_addr profile. I'm assuming this needs to be changed to universal persistence using an irule. I'm not sure what the steps would be. Any assistance would be greatly appreciated.

 

application delivery
devops
iRules
LTM

3 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 03, 2015

    If you can verify the login by way of cookie or some other method, then you can use the 

    persist uie
    command. SOL7392 describes how to do this through an iRule.

    I'm not sure if you need to disable the other persistence profiles or not, but I'd assume it'd be better to do that so there's not issues.

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Feb 04, 2015

    Hi,

     

    the following iRule works the same way as the sample code on DC regarding WebLogic JSESSIONID persistence:

     

    when HTTP_REQUEST {
    if { [HTTP::cookie exists "JSESSIONID"] } {
        log local0. "Client [IP::client_addr] sent cookie [HTTP::cookie "JSESSIONID"]"
        persist uie [HTTP::cookie "JSESSIONID"]
         log local0. "uie persist [HTTP::cookie "JSESSIONID"]"
    } else {
         log local0. "no JSESSIONID cookie found"
    }
}
when HTTP_RESPONSE {
    if { [HTTP::cookie exists "JSESSIONID"] } {
         log local0. "uie persist [HTTP::cookie "JSESSIONID"] from [IP::remote_addr]"
        persist add uie [HTTP::cookie "JSESSIONID"] 1800
    }
}
when LB_SELECTED {
     log local0. "Poolmember [LB::server] selected" 
}

    For testing just monitor the persistence table from CLI:

     

    watch -n 1 tmsh show ltm persist persist-records

    You can uncomment the log statements in the iRule to track the log messages in /var/log/ltm:

     

    tail -f /var/log/ltm

    Thanks, Stephan

     

  • mgaughan_181608's avatar
    mgaughan_181608
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2015

    Hi,

     

    I took the JSESSIONID iRule from this page, installed it with the log statement in the iRule, confirmed that I saw the log messages appearing in /var/log/ltm, and the user was happy with it in QA/testing. We move to production, and the claim is that all of the traffic from one IP address and different JSESSIONIDs are all ending up on one server (of the eight in the pool) and is not being spread around the other servers in the pool. The user believes that the JSESSIONID is being ignored and only the source IP address is being used for persistence.

     

    I can't argue that we do not see most of the traffic on one IP address, because we do, but I believe that it is one heavy user, and it skews the results.

     

    Leads to me question - How do I prove that a source IP address and different JSESSIONIDs end up landing on different servers in the pool?

     

    Thanks!

     

    Mike.