Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Jul 05, 2018

Share source address persistence accross different VS, pools using unique IP addresses

I am looking for a way to share the source address persistence across virtual servers with different IP addresses and different pools assigned using different IP addresses. Likewise the build in functionality match across services / pools or virtual servers will not work in this case.

The customer uses NetIQ IAM solution that has this specific requirement, let me explain:

VS1 1.1.1.1:443 --> pool 1 -- Pool member 10.0.0.1 (physical server A) Pool member 10.0.0.2 (physical server B)

VS2 2.2.2.2:443 --> pool 2 -- Pool member 10.0.0.3 (physical server A) Pool member 10.0.0.4 (physical server B)

The web application always communicates first to VS1 and goes to pool 1 and for example chooses 10.0.0.1. Source address persistence is applied and stored in the persistence table. After that the client immediately communicates to VS2 and should also arrive on the same physical server A.

So my idea was to create global variables using Irules and saving the persistence information in there, create additional variable to save the client IP address.

Irule1 used for VS1

set ::Poolmember [persist lookup source_addr [IP::client_addr] node

set ::ClientIP   [IP::client_addr]

Irule2 used for VS2

In the second VS we compare the value of global variable $::ClientIP with [IP::client_addr] and search for the pool member in the persistence table (we have to know the persistence information of the VS1 connection). If the source IP is the same then we should change the load balancing decision so it will be send to the same physical server A, in this case 10.0.0.3.

If {($ClientIP == [IP::client_addr] && $Poolmember == 10.0.0.1)}

[LB::reselect] node 10.0.0.3 443

There are some shortcomings to this setup I believe as the global variable could be overwritten with a different source IP if there are several concurrent sessions.

Ps: Active passive is not an option as they need capacity.

Does anyone has a better idea that fits this specific requirement?

Thanks,

Marvin

application delivery
iRules
LTM
persistence
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Jul 05, 2018

    I think I got it only with hardcoded IP addresses and only using this Irule on the VS2

    when LB_SELECTED {
  log local0. "client = [IP::client_addr]:[TCP::client_port]"
  log local0. "\[persist lookup source_addr [IP::client_addr]\] = [persist lookup 
  source_addr [IP::client_addr]]"
  if { [persist lookup source_addr [IP::client_addr] node] eq "10.0.0.1" } {
        LB::reselect node 10.0.0.3 80
        log local0. "client = [IP::client_addr] Re-loadbalancing to [LB::server]"
    }
}
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Jul 09, 2018

    Is there a way to retrieve the source address persistence records for only one specific virtual server using the persist lookup command?

     

    The tmsh command is for example:

     

    tmsh ltm persistence persist-records virtual VS1 client-addr 1.1.1.1