Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Dec 21, 2015

table and HA

Hi,

 

I am pretty sure after reading SOLs and description of table command that keys stored via table or subtable on active unit should be mirrored to standby (for given traffic group). I just would like to confirm if it's indeed the case and if possible that it is reliable in production.

 

Question is if we can assume that data stored on active unit will be available on standby and in case of failover we can assume that data will be exactly the same - so iRule logic based on table stored data will work as expected.

 

What bothers me a bit is how exactly this is working in case of sub/table stored keys. I assume connection mirroring has to be configured and enabled. Next StateMirror.MirrorSessions db var should be set to enabled (but if I am not wrong it is enabled by default?).

 

For TCP session mirroring it has to be enabled per VS (Connection Mirroring checked) - I assume that only session entries related to this VS are mirrored to standby - not whole session table?

 

What about iRule created sub/table keys? All are mirrored by default? Even if VS with iRule has not Connection Mirroring checked?

 

What if we have Active-Active HA? Let's say sub/table keys are created via iRule attached to VS belonging to Traffic Group (TG) 1 active on device A, connection mirroring is enabled so keys should be copied to device B being standby for TG1. Then there is VS on device B belonging to TG2 (active on device B). Keys in sub/tables are created via iRule attached to this VS - again those should be copied to device A being standby for TG2.

 

From table cmd description I have such statement I am not sure about:

 

If the table command is used on the standby system in a HA pair, the command will perform a no-op because the content of the standby unit's session db should be updated only through mirroring.

 

What exactly "will perform no-op" means? It seems no modifications could be performed - sounds logical. But is that mean no lookup operations can be performed as well?

 

I am just curious if iRule on VS in TG1 can read keys created by iRule on VS in TG2 - in other words if iRule in TG1 can read copy (as device A is standby for TG2) of sub/table keys created by iRule on TG2.

 

Last question is about info from SOL13478 "Note: Only FastL4 and SNAT connections are re-mirrored after failback." - what fallback means here?

 

It's related to automtic fallback option for TG or to situation like that as well: TG1 active on device A - TG1 moved to device B (any reason, session table should contain up to date entries on device B) - device A back online/available, so it should became standby for TG1, table keys should be mirrored from device B to device A - TG1 migrated to device A - table keys up to date - or it won't work like that?

 

Piotr

 

  • Hi Piotr,

    I'm using the table command for a Pre-Auth / Single-Sign-On functionality (aka. storing cookie values and credential sets into tables) on a three node 8950'er active/active cluster with session mirroring enabled. It works like a charm where a (controlled or unexpected) failover hasn't cause my clients to reathenticate yet. So personally I would rate this functionality as very very reliable...

    "StateMirror.MirrorSessions" controls this behavior and yes it's enabled by default and imediatly starts to replicate your session information once you've created the cluster group with valid session mirroring configuration. No need to enable VS specific settings...

    Since v11.4 you are able to use Active/Active traffic groups where each traffic group has its own replication channel and also its very own "session table" container, where the data of this traffic group can be stored.

    Each of your traffic groups has always only one "active" member where data can be insert and all other traffic group member are just replicas.

    Trying to update table data on standby units would cause your system to "no-op" those commands (no-operation = do nothing), but I didn't try that before nor do I even know a way to call the

    [table]
    on a standby system?

    Furthermore an iRule triggered by VS1 in TG1 cant access data generated by VS2 in TG2. Each TG has now its own table.

    For further reading on this topic: https://devcentral.f5.com/articles/big-ip-114-behavior-change-global-data-now-partitioned-by-traffic-group

    Regarding your question on SOL13478: I duno, I don't use TCP-Mirroring for HTTP. Its simply not worth... 😉

    Cheers, Kai

  • Hi Kai,

    Thanks a lot. I am not sure if I understand this correctly:

    "StateMirror.MirrorSessions" controls this behavior and yes it's enabled by default and imediatly starts to replicate your session information once you've created the cluster group with valid session mirroring configuration. No need to enable VS specific settings...

    So what exactly enabling or disabling connection mirroring for VS or SNAT is doing? If I understand correctly what you stated above whole session table is mirrored right away - no matter if connection mirroring is enabled on any object - is that correct? Or by session information you means only keys stored in sub/table by iRules?

    Based on article you pointed me to (appreciate - it explains exactly what I was not sure about) I have to assume that table data can't be accessed cross TG 😞 but it was in the pre 11.4 versions

    I was looking for fast and reliable way to exchange table data between separate devices/VE. My idea was to create HA config (but not exactly to achieve HA) to spread load between two (or more devices) keeping ability to reference same sub/table keys. Sure mod operations on subtables could be performed only in one TG but other TGs could read keys from this sub/tables. That way decisions could be made on given device (standby for TG) based on info stored by another one (active for TG).

    Sure can be done via some sideband or VS directed requests but that seems to be much more complicated and not as fast and reliable.

    Well, in relation to SOL13478 I am not talking about tcp session data but table keys. And actually I am not sure what failback means in "Note: Only FastL4 and SNAT connections are re-mirrored after failback" - so device A active - sub/table data copied to deice b, then device A fails so device B is active and using/updating table data, then device a back online - assume that now sub/table data is copied to device A - or I am wrong?. Then I am doing manual failover to device A - I assume that no sub/table data should be lost? So in what situation and what data is lost during "failback"?

    Piotr

  • Hi Piotr,

    the "session table" replication is controlled by just "StateMirror.MirrorSessions" settings and is completely independent of the "network connection" replication of your individual virtual servers / SNATs.

    "network connection" mirroring for VS or SNAT can be turned on or off depending on your needs. Once enabled it would replicate some sort of "stateful connection tables" between the devices to allow a silent failover of already established connections. Without "network connection" mirroring, a reestablishment of the connections would be required to continue.

    Regarding: I was looking for fast and reliable way to exchange table data between separate devices/VE.

    At least im not aware of a fast and reliable way to do this. The things I'm aware of are slow and/or unreliable (aka. using sidebands in combination with webservice calls (slow but reliable) or even data exports/imports (fast but unreliable for write access due to a duplication of information which may causes race condition to ocour)

    You should see the performance of table queries like this...

    • TMM1 reads data which is held on TMM1 (its very fast without pausing the TCL execution)
    • TMM2 reads data which is held on TMM2 (its very fast without pausing the TCL execution)
    • TMM1 reads data which is held on TMM2 (its alredy somewhat slow and pauses the TCL execution on TMM1 while waiting for TMM2 to respond)
    • TMM1 on device UNIT1 reads data over a sideband from device UNIT2, using TMM2 of UNIT2 as entrypoint to finally access data on TMM1 of UNIT2. (its slow like hell, since you need to call accros the network and maybe jump between TMMs on the destination UNIT at the same time)

    Regarding: SOL13478

    This article is referencing to "network connection" mirroring (TCP, UDP, SNAT) and not to "session table" mirroring (persistence records, table information). I haven't seen any problems so far with

    [table]
    information, when moving the traffic groups between the devices nor rebooting a certain device. Its just keeps replicating the contained information...

    Cheers, Kai

  • I assume that inter traffic group table access was somehow possible before 11.4 and now it's not. I can see benefits of session table space partitioning per TG but kind of read only access (lookup) could be implemented - as it seems to be fastest way to exchange data between iRules in different TGs - but well, we have what we have and have to figure out some way to use it :-)

     

    Great explanation about difference between network connection and session table and how mirroring works for both! Thanks for help (again :-)

     

    Piotr

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      One additional question. I am pretty sure that I saw somewhere (in some SOL) info that even if now HA and connection mirroring can be done between different types of devices (like 2000 <-> 4000) or VE with different config it is still required to have identical hardware in case of session table mirroring - are you aware about such limitation or it's no longer there? Piotr
    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Take a look to https://support.f5.com/kb/en-us/solutions/public/15000/400/sol15496.html
  • Hi, . Not sure what exactly I should check in this article. I found statement about same hardware as well as some email confirmation I received from F5 support that this statement is valid for session data.

    Sure it was some time ago, as well as doc I am referencing is for 11.5.3 so maybe this limitation is no more there.

    Here is link Managing Connection Mirroring and statement is:

    Important: Connection mirroring only functions between devices that reside on identical hardware platforms.

    Piotr

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      The link I've posted just states that mixed cluster environments are available by using v11.4+ "Starting in 11.4.0, the BIG-IP system supports high availability (HA) features, such as ConfigSync and failover between different hardware platforms. By allowing HA functionality between different hardware platforms, newer hardware platforms only need to join the current device group to receive the older hardware platform's configuration." You may want to open a new question on the LTM board or may ask F5 directly to get sure? Cheers, Kai