iRule "virtual" command to use virtual server as pool member - how does it work? Typical event lifecycle?

MVP

Mar 28, 2015

Hi David,

I remember some discussions about internal "shortcuts" avoiding packet encapsulation in favour of performance optimization.

But these should not impact the protocol stack evaluation and iRule processing.

For testing and validation you can apply the following iRule additionally to both your external (front) and internal virtual server:

when CLIENT_ACCEPTED {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
    log local0. "ip.src <[clientside {IP::remote_addr}]>;tcp.srcport <[clientside {TCP::remote_port}]>;"
    log local0. "ip.dst <[clientside {IP::local_addr}]>;tcp.dstport <[clientside {TCP::local_port}]>;"
}
when CLIENT_DATA {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when HTTP_REQUEST {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when HTTP_REQUEST_DATA {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when HTTP_REQUEST_SEND {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when HTTP_RESPONSE {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when HTTP_RESPONSE_DATA {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when LB_SELECTED {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when SERVER_CONNECTED {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
    log local0. "ip.src <[serverside {IP::local_addr}]>;tcp.srcport <[serverside {TCP::local_port}]>;"
    log local0. "ip.dst <[serverside {IP::remote_addr}]>;tcp.dstport <[serverside {TCP::remote_port}]>;"
}
when SERVER_DATA {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when SERVER_CLOSED {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}
when CLIENT_CLOSED {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
}

The external virtual server in my example terminates SSL and uses a second iRule as follows to pick an internal virtual server and to apply SNAT (optional).

when HTTP_REQUEST priority 400 {
    log local0. "virtual.name <[virtual name]>;time <[clock clicks -milliseconds]>;"
    virtual vs_internal_102_80
    snat automap
}

The log entries below prove the iRule processing on both virtual servers:

 tail -n 0 -f /var/log/ltm | awk -F 'Rule ' '{print $2}'
/Common/rule_order_testing : virtual.name ;time <1427541193286>;
/Common/rule_order_testing : ip.src <10.131.131.178>;tcp.srcport <36940>;
/Common/rule_order_testing : ip.dst <10.131.131.101>;tcp.dstport <443>;
/Common/rule_vs_select_snat : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : ip.src <10.131.131.178>;tcp.srcport <23289>;
/Common/rule_order_testing : ip.dst <10.131.131.102>;tcp.dstport <80>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : ip.src <10.131.131.178>;tcp.srcport <23289>;
/Common/rule_order_testing : ip.dst <10.131.131.102>;tcp.dstport <80>;
/Common/rule_order_testing : virtual.name ;time <1427541193309>;
/Common/rule_order_testing : virtual.name ;time <1427541193310>;
/Common/rule_order_testing : virtual.name ;time <1427541193316>;
/Common/rule_order_testing : virtual.name ;time <1427541193316>;
/Common/rule_order_testing : virtual.name ;time <1427541193316>;

For the internal virtual server I used a reflector iRule as described here:

iRule to emulate web server in lab environment (plaintext version)

Some excellent reading about order of iRule event processing can be found in Steven Iveson´s posts (aka What Lies Beneath) here:

iRule Event Order - HTTP

iRule Event Order - HTTPS/SSL - Client & Server Side

I hope, this answers your question.

Thanks, Stephan

Forum Discussion

iRule "virtual" command to use virtual server as pool member - how does it work? Typical event lifecycle?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Use BIG-IP LTM Virtual Server & iRule for an internal "What's My IP" website

"Content Switching" to non-addressable virtual server

Automating certificate lifecycle management with HashiCorp Vault

The Case of the Missing F5 AMI : F5 BIG-IP AMI Lifecycle Events

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 4 - Policy Lifecycle management)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS