Forum Discussion
Gustavo_Jardim_
Altocumulus
AltocumulusRemover APM Session after send response for user
Hi;
I have a webservice published with F5 BigIp 13.1.1 and this webservice needs a authentication and SSO. I use de APM to valid the username, password and make de SSO Credential Mapping. This webservice has 2000 resquests por minute, and it makes 2000 new sessions por minute. My Bigip is the i7600 and I have only 40000 sessions. I make an iRule for close session in APM after the bigip send the response for user, because of it I have active session in bigip only the current connections.
when HTTP_RESPONSE { ACCESS::session remove }
My problem is: this iRule works when i have 1 request per time, but when i have 10 resquest in parallel this iRule close the wrong session (I don't know if it is right, I only receive TCP Reset in my client in another session). In TCP Dump I see the BigIp reset connection because "Session killed by session DB".
How can I do it without close the wrong session?
I found the solution I needed add the HTTP Header "Connection: Close" during response of F5 to client.
When the F5 close APM session without "Connection: Close" in HTTP Header, the client will use the TCP Connection for another APM session and the F5 will close the TCP Connection when delete the first APM session.
It is the explanation for I have error when I have load, the client open another APM session using a same TCP Connection.
The best iRule that I make for this example is:
when HTTP_RESPONSE_RELEASE { HTTP::header insert "Connection" "Close" ACCESS::session remove }
Thanks all.
Vinne73Cirrus
Interesting topic. Unfortunately I don't have a solution, but I am going to do a similar thing very soon. Since I also don't have enough APM sessions (20K), I'm going to only activate APM when a login is requested by the back-end webservers. After logging in I delete the APM session.
This works in test, but has not been battle tested.
When I put it in production and find useful info regarding your question, I'll come back.
Vinne73_96575Nimbostratus
Interesting topic. Unfortunately I don't have a solution, but I am going to do a similar thing very soon. Since I also don't have enough APM sessions (20K), I'm going to only activate APM when a login is requested by the back-end webservers. After logging in I delete the APM session.
This works in test, but has not been battle tested.
When I put it in production and find useful info regarding your question, I'll come back.
- Vinne73_96575
I thought of something you could try. In your code, you delete the APM session yourself. Might it be an option to let APM clean up its own sessions? Maybe it knows better what to delete because its the "cleanup" process. I know you have a session limit to monitor, but you set the timeout very short.
Edit: you might have to set this during creation of the APM session, because when I tried this:
when HTTP_RESPONSE { ACCESS::session data set session.inactivity_timeout 30}
it didn't work. It seems you can't update inactivity_timeout after an APM session is complete and allowed.
So either you set it for the global APM Policy, or you could use an event in your APM flow that sets the timeout based on other parameters.
when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "set_session_inactivity_timeout { if {...} { ACCESS::session data set session.inactivity_timeout ...} } } }
Gustavo_Jardim_Set inactivity timeout may be a solution for this problem, but I need do many test because the minimal time is 1 second and in this time I have 2000 request, so I will have 2000 sessions more in my enviroment. And more, if I set 1 second in inactivity timeout and my webservice delay 5 second for give the result, probably the session will be closed for APM (I don't know how the APM calculates the timeout, if is per resquet in or resquet out).
I will test this solution if I don't have any solution for close session imediatly.
- Vinne73
I understand. In the initial question you said 2000 sessions per minute, so this solution could probably work with that number and a timeout of 15 seconds to allow for slow back-ends to reply. 2000 sessions per second is another thing :)
- Vinne73_96575
I understand. In the initial question you said 2000 sessions per minute, so this solution could probably work with that number and a timeout of 15 seconds to allow for slow back-ends to reply. 2000 sessions per second is another thing :)
- Vinne73
I thought of something you could try. In your code, you delete the APM session yourself. Might it be an option to let APM clean up its own sessions? Maybe it knows better what to delete because its the "cleanup" process. I know you have a session limit to monitor, but you set the timeout very short.
Edit: you might have to set this during creation of the APM session, because when I tried this:
when HTTP_RESPONSE { ACCESS::session data set session.inactivity_timeout 30}
it didn't work. It seems you can't update inactivity_timeout after an APM session is complete and allowed.
So either you set it for the global APM Policy, or you could use an event in your APM flow that sets the timeout based on other parameters.
when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "set_session_inactivity_timeout { if {...} { ACCESS::session data set session.inactivity_timeout ...} } } }
- Stanislas_Piro2
Cumulonimbus
You can try something like that
when ACCESS_ACL_ALLOWED { set close_response 1 } when HTTP_RESPONSE { if {$close_response} { ACCESS::session remove } } - Gustavo_Jardim_
Be careful, I do it and it works when I have 1 request per time (in lab test), but when I have load in envirement the F5 close wrong sessions.
You can test it using JMeter for put many request in your envirement in the same time.
- Vinne73
Be sure to check my answer, it might work better because APM can clean up its own sessions "the normal way"
- Vinne73_96575
Be sure to check my answer, it might work better because APM can clean up its own sessions "the normal way"
- Gustavo_Jardim_
Sorry, I undertud wrong. You don't force the session close. In my case I need authetication in all calls.
- Gustavo_Jardim_
I saw the wireshark package and my client is using the same TCP Connection to open different session. When the F5 close session, it is closing the TCP Connection too and it cause error in my client in another session (because the session use the same TCP Connection).
Can I remove session without close TCP Connection? Or Can I close all session when the TCP Connection has finished?