Forum Discussion
Help with "persist source_addr" command not working in Irule
I have an iRule that selects a pool member based on data within the 1st HTTP_REQUEST in a session and I need to persist on source IP address. I have a source IP persist profile set on the virtual server and also using "persist source_addr" command in the iRule but the logs show the 2nd LB_SELECT uses the other member in the pool. I first tried this without the command in the iRule thinking I could just rely on the default persistence profile on the virtual server but it does the same thing. After the 2nd LB_SELECT, persistence keeps the session on one pool member from that point on, but it is too late at that point - what am I missing?. I do have a oneconnect profile assigned also. TIA for any help. Irule and logs below.
Apr 28 14:40:07 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [1435] URI = /login?sso=a&service=https%3A%2F%2Foam-qaq.infarmbureau.com%2FCSPWeb%2Flogin.csps, cookies Apr 28 14:40:07 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [1435] Request from client: 10.141.4.1 Apr 28 14:40:07 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [1435] Selecting member 10.110.3.11 based on SSO redirect Apr 28 14:40:07 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [1435] pool /Common/ap-tcsso.infarmbureau.com_https_pool member 10.110.3.11:443 Apr 28 14:40:07 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [1435] Set-Cookie JSESSIONID=14F665548CE78418398BAF2FF24D8281; Path=/; Secure; HttpOnly Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [5165] URI = /css/oam.css, cookies JSESSIONID Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [5165] Request from client: 10.141.4.1 Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [5165] Set-Cookie Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [7572] URI = /js/cufon-yui.js, cookies JSESSIONID Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [7572] Request from client: 10.141.4.1 Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [6986] URI = /js/oam_login.js, cookies JSESSIONID Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [6986] Request from client: 10.141.4.1 Apr 28 14:40:08 wb-f5lb1-qa info tmm[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [7572] pool /Common/ap-tcsso.infarmbureau.com_https_pool member 10.110.3.12:443 Apr 28 14:40:08 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [8377] URI = /js/jquery-1.11.0.min.js, cookies JSESSIONID Apr 28 14:40:08 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [8377] Request from client: 10.141.4.1 Apr 28 14:40:08 wb-f5lb1-qa info tmm1[8917]: Rule /Common/ifb_irule_oam_qaq_persist_sso : [8377] pool /Common/ap-tcsso.infarmbureau.com_https_pool member 10.110.3.12:443
8 Replies
have you seen persistence record? i do not see it when specifying pool member in irule.
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 9 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { pool foo member 200.200.200.101 log local0. "pool foo member 200.200.200.101" persist source_addr log local0. "persist source_addr" } } irule is executed but no persistence record is created [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Apr 28 21:08:40 ve11a info tmm[13022]: Rule /Common/qux : pool foo member 200.200.200.101 Apr 28 21:08:40 ve11a info tmm[13022]: Rule /Common/qux : persist source_addr Apr 28 21:08:40 ve11a info tmm[13022]: Rule /Common/qux : pool foo member 200.200.200.101 Apr 28 21:08:40 ve11a info tmm[13022]: Rule /Common/qux : persist source_addr [root@ve11a:Active:In Sync] config tmsh root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm persistence persist-records Sys::Persistent Connections Total records returned: 0
- Steve_Knapp
Altostratus
Yes, the source IP persist is set on the virtual - is this what you mean? +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ltm virtual ap-tcsso.infarmbureau.com_https_vs { destination 10.110.10.40:https ip-protocol tcp mask 255.255.255.255 persist { ifb_persist_source_addr_8hour { default yes } } pool ap-tcsso.infarmbureau.com_https_pool profiles { ap-tcsso-qa.infarmbureau.com_client { context clientside } ap-tcsso-qa.infarmbureau.com_server { context serverside } http { } tcp { } } rules { ifb_irule_oam_qaq_persist_sso }
is this what you mean?
no, i think source address persistence record is not created when specifying pool member in the irule (e.g. pool ap-tcsso.infarmbureau.com_https_pool member 10.110.3.11).
have you seen persistence record in your bigip?
tmsh show ltm persistence persist-records
- Steve_Knapp
Altostratus
well it shows up but only because it is set on the 2nd LB_request I am pretty sure. I have no way to check between the first LB_request and the second one.
My question is why does the "persist source_addr" command in the Irule not work?
if {[HTTP::uri] contains "sso=a" || [class match [IP::client_addr] equals ifb_oam_qaq_persist_sso_a ]} { if {$debug} { log local0. "${prefix}Request from client: [IP::remote_addr]" log local0. "${prefix}Selecting member 10.110.3.11 based on SSO redirect" } pool ap-tcsso.infarmbureau.com_https_pool member 10.110.3.11 persist source_addr }
My question is why does the "persist source_addr" command in the Irule not work?
ID248110 - Persistence and direct pool member selection are incompatible
- Steve_Knapp
Altostratus
Disappointing but thanks for the answer - at least I know why it is not working. One more question. Do you know if I could update the persistence table directly with "persist add" right after the POOL xxx MEMBER xxx statement? If so, could you post an example of the command? The wiki lists the syntax but I did saw only examples for persist add uie.
Do you know if I could update the persistence table directly with "persist add" right after the POOL xxx MEMBER xxx statement? If so, could you post an example of the command?
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 12 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { pool foo member 200.200.200.101 } when HTTP_RESPONSE { persist add source_addr [IP::client_addr] } } test root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm persistence persist-records all-properties Sys::Persistent Connections source-address - 172.28.24.10:80 - 200.200.200.101:80 ----------------------------------------------------- TMM 0 Mode source-address Value 172.28.24.1 Age (sec.) 3 Virtual Name /Common/bar Virtual Addr 172.28.24.10:80 Node Addr 200.200.200.101:80 Pool Name /Common/foo Client Addr 172.28.24.1 Owner entry Total records returned: 1
- Steve_Knapp
Altostratus
Thanks very much nitass - this has fixed the issue. I just did not realize the persistence could not be set on the HTTP request and setting it on the HTTP response seems to be working.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com