Forum Discussion
Mike_73765
Nimbostratus
Nimbostratusissue with cookie persist irule
Hey guys, I am having an issue with an irule that I got from code share that is shown below. This irule is used on 2 virtual servers (using the same nodes, but different ports) and should be persistent between virtual servers. The user logs into the website, which is vs 1, and clicks a link that sends them to vs 2 (the same node). This works only sometimes for the users. The HTTP::response event in this irule always works, but the HTTP::request event gets numerous errors.
Here’s the error:
Aug 19 16:18:57 local/tmm err tmm[13657]: 01220001:3: TCL error: cookie - no such pool Failed Tcl_pool_GetFromObj: pool (line 6) invoked from within "active_members -list [LB::server pool]"
IRule:
when HTTP_REQUEST {
if { [HTTP::cookie exists "cookie"] } {
set decrypted [HTTP::cookie decrypt "cookie" "passcode"]
if { ($decrypted ne "") }
{ set persist_node [HTTP::cookie "cookie"]
foreach member [active_members -list [LB::server pool]] { <--Line that fails
set node [lindex $member 0]
if { $node eq $persist_node }
{ node $persist_node [lindex $member 1] } } }
log local0. [LB::server] } } <-- Doesn't return anything
when LB_FAILED { LB::reselect }
when HTTP_RESPONSE {
HTTP::cookie insert name "cookie" value [IP::remote_addr] path /
HTTP::cookie encrypt "cookie" "passcode" }
Thanks for your help,
Mike
24 Replies
HamishCirrocumulus
I'm not sure I see how your iRule would work... However, a couple of things I notice...
1. The cookie is encrypted, yet you use the actual cookie value directly inset persist_node [HTTP::cookie "cookie"]
which means the node $persist_node [...] is going to fail too...
shouldn't that beset persist_node decrypted
or simply replace 'decrypted' with 'persist_node'...
2. Why are you looping through the poolmembers?
3. What happens if the cookie exists already but wasn't actually set by the iRule HTTP_RESPONSE?
I think you need to catch {} any errors from the decrypting too... Otherwise bad cookies will kill your connection... Are there any other errors (Sorry, I don't have my stuff with me to actually test your iRule on an LTM).
H
Mike_737651. So the line: set decrypted [HTTP::cookie decrypt "cookie" "passcode"]
should look like: set persist_node [HTTP::cookie "cookie_name"] ?
2. I don't know. Doesn't seem like I need to. Can I just delete the "foreach" line?
3. The cookie shouldn't exist unless assigned by the HTTP_RESPONSE
I actually don't need an encrypted cookie.- Mike_73765does f5 professional services do irule creation? customer is coming up on a deadline, and we can't seem to get things working for them.
- Chris_Miller
Altostratus
Posted By Mike on 08/24/2010 08:47 AM
does f5 professional services do irule creation? customer is coming up on a deadline, and we can't seem to get things working for them.
http://www.f5.com/training-support/professional-services/offerings/irules-on-demand.html - Chris_MillerBy the way, since you're calling LB::server pool from HTTP_REQUEST, it should be checking against your default pool.
It looks like this is the codeshare you're using:
http://devcentral.f5.com/wiki/default.aspx/iRules/Cookie_Encryption_across_pools_and_services.html
What's your default pool called? Your TCL error leads me to believe the rule is somehow looking for a pool called "cookie"
What version are you running?
The reason you aren't seeing anything for logging LB::server is because you haven't chosen a server which makes me think your default pool isn't specified. - Mike_73765Hi Chris, thanks for the link.
I am using this irule for 3 different virtual servers. Each vs has a default pool defined (same nodes, but different ports). We are running version 10.0.1.
I don't really have the need for an encrypted cookie, but this is the closest codeshare example I could find to what I wanted to do. - Chris_MillerPosted By Mike on 08/24/2010 10:42 AM
Hi Chris, thanks for the link.
I am using this irule for 3 different virtual servers. Each vs has a default pool defined (same nodes, but different ports). We are running version 10.0.1.
I don't really have the need for an encrypted cookie, but this is the closest codeshare example I could find to what I wanted to do.
May I ask what the name of the default pool is for the VS that is giving you this error?
This might be worth a read.
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/109/Persisting-Across-Virtual-Servers.aspx - Mike_73765there would be 2 default pools, p_lum_test and p_lum_resource_test. one pool is used by one virtual server and one pool is used by 2 other virtual servers. i want to persist across all 3 virtual servers.
according to the article, i would have to be using the same pool for all 3 virtual servers? - Chris_MillerWe can get the original one working.
Can you add this to the bottom of your HTTP_RESPONSE event?
log local0. "cookie value set to [IP::remote_addr]"
Let's kill the encrypt/decrypt logic and make the rule look like this:when HTTP_REQUEST { If the cookie exists, connect to the IP specified in the cookie if { [HTTP::cookie exists "cookie"] } { if { ([HTTP::cookie "cookie"] ne "") } { set persist_node [HTTP::cookie "cookie"] foreach member [active_members -list [LB::server pool]] { set node [lindex $member 0] if { $node eq $persist_node } { node $persist_node [lindex $member 1] } } } } } when LB_FAILED { LB::reselect } when HTTP_RESPONSE { HTTP::cookie insert name "cookie" value [IP::remote_addr] path / Optionally comment out the above line and use the following line instead while specifying a domain HTTP::cookie insert name "cookie" value [IP::remote_addr] path / domain abc.com } - Mike_73765
Ok, I tried the rule you have above. The user can log into the web portal fine, there is a link on the portal that sends the user to the port 8008 virtual server. Sometimes it works, and sometimes it just hangs. The virtual servers are listed below, and the 2 physical servers are 10.10.11.252 and 10.10.11.253.
here is the output from the log we put in the HTTP_RESPONSE event:
Aug 26 15:53:29 local/tmm1 info tmm1[13658]: Rule persist_prod : cookie value set to 10.10.11.252
I'm still getting the TCL error in the line: foreach member [active_members -list [LB::server pool]] {
Should/could we include both pools in the LB::server function somehow?
What about an irule that grabs the IP::remote_addr from the http_response when the user hits the vs_HTTPS vs, and apply the rule to the 8008 vs, having them hit the same server thats returned by the IP::remote_addr? Is there a way we could do that?
virtual vs_HTTPS {
snat automap
pool p_Luminus
destination 10.10.11.230:443
ip protocol tcp
rules persist_prod
httpclass web-acc-class
profiles {
http {}
luminus-temp-clientssl {
clientside }
tcp-lan-optimized {}
} }
virtual vs_Resource_Prod {
snat automap
pool p_Resource_8008
destination 10.10.11.230:8008
ip protocol tcp
rules persist_prod
profiles {
http {}
tcp {}
} }
