Forum Discussion
NimbostratusLTM irule same irule got called by multiple tmm instances
HI guys, recently I'm working on an irule to make LTM VS acting as reverse proxy. basically the user will call the VS on https, and the VS will use the irule to do DNS query against a specific URL and use resolved IP as node to establish the connection. I used RESOLV::lookup and in order to provide a bit redundancy on the DNS servers the irule is query, I used a list to include 3 DNS servers for irule to query. so if the first DNS is not repsonding with valid IP, it will query against the 2nd DNS server. However, what I noticed that is that everytime the VS was called, from the log, I see the irule got run by multiple tmm instances. it seems each tmm will run the irule in order and then establish the connection to the resolved IP. this turned to be a time consuming issue. especially when first DNS server was failing.
For example:
when first DNS failed, tmm will run thru the irule and fail the first DNS query then got IP resolved by querying 2nd DNS server in the list. then tmm1 kicked in, run the same irule and failed first query again, then successfully resolved IP, but still no connection established. tmm2 will run the irule when tmm1 is done. then establish the connection.
anyone has ever notice such behavior? Is it because RESOLV::lookup is suspending the session by one tmm and then use the other tmm to run the irule? any hints would help.
Marcus_Hong_YuHere is the irule I composedwhen CLIENT_ACCEPTED { set index 0 set dnslist [list 10.1.1.1 10.1.1.12 10.2.2.4] set max 3 while {$index <= $max} { set dns [lindex $dnslist $index]
perform DNS resolutionset dest [lindex [RESOLV::lookup @$dns -a ";] 0] Check if the first list element was empty if {$dest eq ""}{ No valid IP resolved against DNS set index [expr {$index + 1}] } else { Set Node IP based on DNS resolution node $dest 443 set index [expr {$max + 1}] } } }
Stanislas_Piro2Cumulonimbus
Hi,
Your irule is not optimized... look at this one:
when CLIENT_ACCEPTED { set dnslist {10.1.1.1 10.1.1.12 10.2.2.4} foreach dns $dnslist { Check if the first list element was empty if {[set dest [lindex [RESOLV::lookup @$dns -a "www.abc.com";] 0]] ne ""} { Set Node IP based on DNS resolution node $dest 443 break } } }another enhancement can be to use dns resolution in pool instead of this irule. it will create each member discovered with DNS.
to answer about TMM, each connection is handled by a different TMM. if you are working on a 6 TMM appliance, you may see in logs tmm0, tmm1, ... tmm6
but only one TMM request for each tcp connection.
cjuniorNacreous
Hi,
Did you try to use FQDN nodes instead of iRule? (BIG-IP v11.6+) And, as you mentioned tmm instances, did you try to disable CMP and run demoted? I think isn't it a good thing, so, maybe is better to you, to do some logic and control TTL, such as table lookup mechanism or anything else.
Regards.- Marcus_Hong_Yu
I think I found some cause, RESOLV::lookup by default will use 4 tmm instances to do inital query and 3 retries. and each one is 5 seconds. I can modify the sys db to reduce the retry times and timeout value, however, is there any better way to make it resolve to the valid IP quicker?
- Marcus_Hong_Yu
Hi Stanislas, I will give a try to use foreach instead of while. but the thing is that RESOLVE::LOOKUP will use multiple TMM to call the irule, which means even by using foreach, when the DNS server was failing, the irule will still be called multiple times. is that the case?
- Stanislas_Piro2
Another improvement is to create a dns pool containing pool dns servers and monitored with a dns monitor.
Then use this code
when CLIENT_ACCEPTED { foreach dns [active_members -list p_dns] { Check if the first list element was empty if {[set dest [lindex [RESOLV::lookup @[lindex $dns 0] -a "www.abc.com";] 0]] ne ""} { Set Node IP based on DNS resolution node $dest 443 break } } }This code will request only dns active members based on the pool member status.