Forum Discussion
iRule to route traffic to different pool when pool members down in default pool
We are running a transparent proxy in our environment and have decided that when the both proxy servers in our proxy server pool become unavailable we would like to route the traffic out the internet unfiltered (VLAN C). All clients have public IPv4 addresses.
I have a wildcard VIP setup (with a lasthop pool overriding the autolast hop featuere) to accept traffic on VLAN A pass the traffic back to VLAN B (where the proxy servers are) and then go out the lasthop pool on VLAN C.
I have an iRule on the wildcard VIP which redirects HTTP requests to the proxy server when needed by replacing the HTTP host and HTTP uri.
When the proxy servers are not down this setup works flawlessly. However when both proxy servers are down and I choose to use the lasthop pool instead of the proxy pool traffic does not flow correctly. If I remove both the iRule with the HTTP redirects in it and the HTTP profile and apply a iRule with just when LB::failed statement in it to reselect the lasthop pool as it's target I can asymetrically route the traffic to the internet just fine. This makes me believe that there is something in the HTTP profile (possibly iRule) which is causing a change to the HTTP packet before it goes to the lasthop pool that the router in the lasthop does not like.
Any help or suggestions would be great.
Configuration:
virtual capture_virt {
lasthop pool captured_lasthop
pool capture_pool
destination any:any
mask 0.0.0.0
ip protocol tcp
rules captured-HTTP_rule
profiles {
captured_prof {}
captured_tcp_prof {}
}
vlans captured-A enable
}
pool captured_lasthop {
monitor all gateway_icmp
members 10.1.5.41:any {}
}
____iRule below__________
rule captured-HTTP_rule {
when CLIENT_ACCEPTED {
if { [active_members capture_pool] < 1 } {
use pool captured_lasthop
}
}
when LB_FAILED {
if { [active_members capture_pool] < 1 } {
use pool captured_lasthop
}
}
when HTTP_REQUEST {
if { [HTTP::host] eq "www.facebook.com" } {
use pool captured_lasthop
} elseif { [HTTP::host] eq "www.google.com" } {
use pool captured_lasthop
} elseif { [HTTP::host] eq "www.yahoo.com" } {
use pool captured_lasthop
} else {
log local0. "Client IP address is: [IP::remote_addr]"
HTTP::header replace Host "www.example.com"
log local0. "Replacing Host"
HTTP::uri "/example/login.html"
log local0. "Replacing URI"
}
}
}
_____iRule above______
pool capture_pool {
monitor all cp-web_HTTP_DEV01_mon
members {
10.1.5.20:http {}
10.1.5.21:http {}
}
}
profile http captured_prof {
defaults from http
}
profile tcp captured_tcp_prof {
defaults from tcp
}
- nitassEmployeeHowever when both proxy servers are down and I choose to use the lasthop pool instead of the proxy pool traffic does not flow correctly.can you try to put "forward" command above pool captured_lasthop?
- Nick_68106NimbostratusGreetings nitass,
- nitassEmployeeis it similar to this? but it still doesn't work, does it?
when CLIENT_ACCEPTED { if { [active_members capture_pool] < 1 } { forward pool captured_lasthop } } when LB_FAILED { if { [active_members capture_pool] < 1 } { forward pool captured_lasthop } }
- Nick_68106NimbostratusYes sorry, copy paste fail there. It is identical to what you have posted and still does not work.
- nitassEmployeenever mind. forward command is not needed in your configuration.
- Nick_68106NimbostratusI tried that as well and ended up with the same results. I think it has something to do with the TCP profile that is required by the HTTP profile because when I do a packet capture on the lasthop pool VLAN (VLAN C) you can see the load balancer responding with a TCP SYN/ACK as the destination IP address which I imagine is what most likely is causing the problem.
- nitassEmployeei understand what you are describing is how tcp profile works i.e. full proxy architecture.
- Nick_68106Nimbostratusnitass, thank you for all the help here. I do have a ticket open with F5 in regards to this issue and one of the recommendations my support engineer gave me was to post my problem to this forum.
- nitassEmployeei do not have transparent proxy in lab, so i have to enable translate address and service on virtual server. also, snat is required in my lab.
[root@ve1023:Active] config b virtual bar list virtual bar { translate address enable translate service enable snat automap pool proxy_pool destination any:any mask 0.0.0.0 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b pool proxy_pool list pool proxy_pool { members 192.168.12.105:3128 {} } [root@ve1023:Active] config b pool gateway_pool list pool gateway_pool { members 172.28.19.254:any {} } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "www.google.com" or \ [active_members [LB::server pool]] < 1} { forward pool gateway_pool } } } curl -I http://www.yahoo.com/ [root@ve1023:Active] config tcpdump -nni 0.0 port 80 or port 3128 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 02:58:14.159318 IP 200.200.200.101.37253 > 72.30.2.43.80: S 2842128339:2842128339(0) win 5840 02:58:14.159349 IP 72.30.2.43.80 > 200.200.200.101.37253: S 1156550803:1156550803(0) ack 2842128340 win 4380 02:58:14.160283 IP 200.200.200.101.37253 > 72.30.2.43.80: . ack 1 win 46 02:58:14.160301 IP 200.200.200.101.37253 > 72.30.2.43.80: P 1:157(156) ack 1 win 46 02:58:14.160443 IP 172.28.19.80.37253 > 192.168.12.105.3128: S 668650010:668650010(0) win 4380 02:58:14.260381 IP 72.30.2.43.80 > 200.200.200.101.37253: . ack 157 win 4536 02:58:14.325384 IP 192.168.12.105.3128 > 172.28.19.80.37253: S 1758187351:1758187351(0) ack 668650011 win 5792 02:58:14.325401 IP 172.28.19.80.37253 > 192.168.12.105.3128: . ack 1 win 4380 02:58:14.325412 IP 172.28.19.80.37253 > 192.168.12.105.3128: P 1:157(156) ack 1 win 4380 02:58:14.491573 IP 192.168.12.105.3128 > 172.28.19.80.37253: . ack 157 win 5792 02:58:14.491592 IP 192.168.12.105.3128 > 172.28.19.80.37253: P 1:365(364) ack 157 win 5792 02:58:14.491617 IP 72.30.2.43.80 > 200.200.200.101.37253: P 1:365(364) ack 157 win 4536 02:58:14.491621 IP 192.168.12.105.3128 > 172.28.19.80.37253: F 365:365(0) ack 157 win 5792 02:58:14.491628 IP 172.28.19.80.37253 > 192.168.12.105.3128: . ack 366 win 4744 02:58:14.491631 IP 72.30.2.43.80 > 200.200.200.101.37253: F 365:365(0) ack 157 win 4536 02:58:14.492247 IP 200.200.200.101.37253 > 72.30.2.43.80: . ack 365 win 54 02:58:14.492255 IP 200.200.200.101.37253 > 72.30.2.43.80: F 157:157(0) ack 366 win 54 02:58:14.492262 IP 72.30.2.43.80 > 200.200.200.101.37253: . ack 158 win 4536 02:58:14.492266 IP 172.28.19.80.37253 > 192.168.12.105.3128: F 157:157(0) ack 366 win 4744 02:58:14.657271 IP 192.168.12.105.3128 > 172.28.19.80.37253: . ack 158 win 5792 [root@ve1023:Active] config b pool proxy_pool monitor all fake [root@ve1023:Active] config b pool proxy_pool|grep -i pool\ member +-> POOL MEMBER proxy_pool/192.168.12.105:3128 inactive,down curl -I http://www.yahoo.com/ [root@ve1023:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 02:59:18.619344 IP 200.200.200.101.39373 > 98.137.149.56.80: S 1710494010:1710494010(0) win 5840 02:59:18.619379 IP 98.137.149.56.80 > 200.200.200.101.39373: S 1489332666:1489332666(0) ack 1710494011 win 4380 02:59:18.620321 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 1 win 46 02:59:18.620349 IP 200.200.200.101.39373 > 98.137.149.56.80: P 1:157(156) ack 1 win 46 02:59:18.620418 IP 172.28.19.80.39373 > 98.137.149.56.80: S 3312724555:3312724555(0) win 4380 02:59:18.720813 IP 98.137.149.56.80 > 200.200.200.101.39373: . ack 157 win 4536 02:59:18.800356 IP 98.137.149.56.80 > 172.28.19.80.39373: S 3513074640:3513074640(0) ack 3312724556 win 5792 02:59:18.800377 IP 172.28.19.80.39373 > 98.137.149.56.80: . ack 1 win 4380 02:59:18.800391 IP 172.28.19.80.39373 > 98.137.149.56.80: P 1:157(156) ack 1 win 4380 02:59:18.981489 IP 98.137.149.56.80 > 172.28.19.80.39373: . ack 157 win 27 02:59:19.011277 IP 98.137.149.56.80 > 172.28.19.80.39373: P 1:835(834) ack 157 win 27 02:59:19.011315 IP 98.137.149.56.80 > 200.200.200.101.39373: P 1:835(834) ack 157 win 4536 02:59:19.012420 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 835 win 59 02:59:19.012441 IP 200.200.200.101.39373 > 98.137.149.56.80: F 157:157(0) ack 835 win 59 02:59:19.012451 IP 98.137.149.56.80 > 200.200.200.101.39373: . ack 158 win 4536 02:59:19.012456 IP 172.28.19.80.39373 > 98.137.149.56.80: F 157:157(0) ack 835 win 5214 02:59:19.195404 IP 98.137.149.56.80 > 172.28.19.80.39373: F 835:835(0) ack 158 win 27 02:59:19.195434 IP 172.28.19.80.39373 > 98.137.149.56.80: . ack 836 win 5214 02:59:19.195441 IP 98.137.149.56.80 > 200.200.200.101.39373: F 835:835(0) ack 158 win 4536 02:59:19.196481 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 836 win 59
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com