I have msrdp persistence working without a rule, but only within a single vip. Globally, I don't have persistence to the client, so a client could potentially be assigned to the wrong vip, and even though session directory sends the client the routing token, and the client sends this routing token to the BigIP, it is being ignored if the client hits the wrong vip. Here's what the cookie looks like in hex and ascii: 0040 00 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 3d 38 31 .Cookie: msts=81 0050 33 39 36 34 30 34 32 2e 31 35 36 32 39 2e 30 30 3964042.15629.00 0060 30 30 0d 0a 00.. The 813964042 is the server IP (dec->hex(reverse pairs)->dec(by octet)) and the 15629 is the tcp port (dec->hex(reverse pairs)->dec) If I can't persist across virtuals with the msrdp cookie with the gui, then I'd like to build a rule that will persist across virtuals. I don't want only one vip because I will have aprox. 750 servers, and I'd like to pool these by rack. Is there a command within iRules to return a node from the msrdp cookie? I saw in the config guide that there is one for BEA WebLogic and I didn't know if there was one for MS Terminal Services since the BigIP has the ability to do this already. Thanks.

Hmm, I'm not quite sure I fully understand your vip issue. When MSRDP persistence is configured on a vip, it searches for the embedded cookie. Upon finding it, it will then use that node as long as it is a valid node within the current pool. So I have a couple of question? Do you have msrdp persistence configured on the "wrong vip"? Does the "wrong vip" have a pool with the same WTS server nodes in it?

For clarity, Vip 1->Pool 1->Server 1 Vip 2->Pool 2->Server 2 MSRDP persistence with session directory is configured to persist across services, pools, and vips. 1. Login to Vip 1, which creates Terminal Server Session on Server 1. 2. Close the window, but remain logged in 3. Login to Vip 2, credentials supplied to Server 2, but server 2 checks session directory and sends routing token to client, which then redirects back to Vip 2. BigIP sends back to Server 2, instead of to Server 1 as expected. If I uncheck session directory in the persistence and send the username credentials with my session request, the persistence works fine across vips. Since this doesn't work with the routing token, I was hoping I could do something with a rule.

Ok, two things: First, the "Has Session Directory" setting is now ignored (I just realized this is only true in 9.0.5 which is pending release) by the BigIP because the session actually sends different cookies depending on whether the servers have been configured to use the session directory. We now switch behavior depending on which cookie is present. Cookie: msts= is what you see when the servers are using a session directory and Cookie: mstshash= is what you see when the servers are not using a session directory. When the msrdp persistence detects the session directory cookie, it does not actually use any stored persistence on the BigIP. It merely checks the node to see if it's a member of the pool and directly selects it if it is. Since your vip2 is not using the same pool, this fails and it is re-load balance to server2 within pool2. To fix this, you have several choices (or potentially more if your creative)... Option a) Change your servers to not use a session directory, thus causing the Cookie switch to mstshash which the BigIP will store in it's persistence table and would be available "across virtuals". Option b) Install a rule that check if the node is really in pool1 and uses that instead (I will give you an example of this at the bottom). Option c) Merge vip1/vip2 and instead use a rule to dynamically make the selection that differentiates the two vips (say a larger pool vs. a smaller pool). Here is where I'm not clear on why you have vip1 and vip2 and so I can't guess at why you would first get connected to vip1 and then later to vip2. The rule that you could use to replace msrdp persistence and instead directly use the node regardless of the pool would look something like this: rule msrdp_sessdir_uie { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [TCP::payload length] < 25 } { TCP::collect return } binary scan [TCP::payload] x11a* msrdp if { [string equal -nocase -length 12 $msrdp "cookie: msts"] } { set msrdp [string range $msrdp 12 end] set len [string first "\n" $msrdp] if { $len == -1 } { Didnt get whole cookie collect more TCP::collect return } if { $msrdp starts_with "=" } { Session directory - extract node/port if { [scan $msrdp "=%u.%u" node port] != 2] } Did not find node/port, get more TCP::collect return } set node [ntohl $node] set port [ntohs $port] log "DEBUG: overriding to $node:$port" Note: the node command does not check the pool node $node $port } elseif { $msrdp starts_with "hash=" } { No session directory - username used instead if { $len > 5 } { incr len -1 set record [string range $msrdp 5 $len] log "adding persistence record - $record" persist uie $record 300 } else { log "No username - not persisting" } } } else { log "Cookie not found" } TCP::release } } Note: this rule has not been validated or tested in any way and is provided solely as an example.

Wow, iRules are much more powerful that I anticipated. Concerning the options: 1) We don't have global persistence (hopefully in a year or so), so using the password would only work if all of our connections were sent to site 1. We are diverse on the WAN, but both sites have access to all the servers on the MAN. 2) I will test this. This seems like a viable option. 3) If I only have 1 VIP, can I still pool resources independently behind a single VIP? EX- VIP 1 --> Pool 1 (48 members) --> Pool 2 (48 members) ... ... --> Pool 15 (48 members) The GUI only lets me select one pool. Are you saying that with a rule I could load-balance by pool, then by member? Thanks for your help. I think I have a lot to learn about rules. Jason

I corrected some syntax so that the rule would be accepted, but I'm not sure if I broke the rule in doing so. I don't get any connection when I don't send user credentials (thus preventing the mstshash= but I can login once I do supply the username. Also, the correct syntax from the documentation is [TCP::payload_length], but this gives me an error: line 6:[undefined procedure: TCP::payload_length][TCP::payload_length] If I change the expression from when CLIENT_DATA { if { [TCP::payload_length] < 25 } { TCP::collect return } to when CLIENT_DATA { if { [TCP::payload length] < 25 } { TCP::collect return } It doesn't error on this, but it also doesn't work. The syntax is looking for a size following TCP::payload, so I'm not sure what it is evaluating at this point.

JRahm

Admin

Mar 01, 2005

Terminal Server Persistence

I have msrdp persistence working without a rule, but only within a single vip. Globally, I don't have persistence to the client, so a client could potentially be assigned to the wrong vip, and even though session directory sends the client the routing token, and the client sends this routing token to the BigIP, it is being ignored if the client hits the wrong vip. Here's what the cookie looks like in hex and ascii:

0040 00 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 3d 38 31 .Cookie: msts=81

0050 33 39 36 34 30 34 32 2e 31 35 36 32 39 2e 30 30 3964042.15629.00

0060 30 30 0d 0a 00..

The 813964042 is the server IP (dec->hex(reverse pairs)->dec(by octet)) and the 15629 is the tcp port (dec->hex(reverse pairs)->dec)

If I can't persist across virtuals with the msrdp cookie with the gui, then I'd like to build a rule that will persist across virtuals. I don't want only one vip because I will have aprox. 750 servers, and I'd like to pool these by rack.

Is there a command within iRules to return a node from the msrdp cookie? I saw in the config guide that there is one for BEA WebLogic and I didn't know if there was one for MS Terminal Services since the BigIP has the ability to do this already. Thanks.

rapmaster_c_127
Historic F5 Account
Mar 03, 2005
Yes, it only fires after the 3-way handshake. (CLIENT_ACCEPTED.) That's why we built the event driven hooks for iRules rather than firing them all the time.

I'm glad you like the product. We love working on it.
rapmaster_c_127
Historic F5 Account
Mar 03, 2005
Just one note: your rule code is only *entered* on the CLIENT_ACCEPTED event. Thereafter, CLIENT_DATA is fired upto the point you call TCP::release. At that point you have no more rule entry points and since you haven't hooked any more events, there will be no further rule processing impact.
JRahm
Admin
Mar 22, 2005
Since removes the connection from load balancing statistics, would it be better for me to define all my servers in an external data group, then use

use pool $my_pool [$node]

Will this change anything? The goal is to make sure the BigIP is tracking the connections. Thanks.
unRuleY_95363
Historic F5 Account
Mar 22, 2005
I'm not sure I follow what you mean by "define all my servers in an external data group".

I'm guessing what you might be wanting to do is define a data group/class that lists which pools each server is in and then use that to determine the pool so you can then use pool member . If that is what you are saying, then sure that would likely work just fine.

However, let's revisit your assumption about statistics. Yes, it is true that if you use node , then statistics are not accounted for on the pool member. However, statistics are still accounted on the virtual and on the node itself. When using the pool member the statistics are also accounted on the node. So, perhaps you just need to look at the node statistics to get what you are looking for instead of looking at the pool member statistics. I have no idea how many other pools in your configuration the node might be a member of.

Hope that helps.
JRahm
Admin
Mar 22, 2005
Your assumption is correct. I am only concerned about the statistics as BigIP considers the load on a server. If I have 60 actual connections on a server, 30 of them being sent to the server via the rule line (use node $node), and I am using least connections, will those 30 connections sent to the server via the rule be considered in the decision or not? Thanks.

Jason
drteeth_127330
Historic F5 Account
Mar 22, 2005
Good question. If you use the member least connection LB method, then the 30 connections from the rule will not be accounted for since your rule uses direct node selection. If you use the least connection LB method, which operates on a node-address basis, then they will be.
James_Wrubel_48
Nimbostratus
Oct 24, 2006
This rule looks like exactly what I need, but I am having trouble getting it to work as written. I think this is because when you set the value of this cookie in the properties of the msrdp control, it sets it in Unicode. So if the value was Cookie: msts=2248151212.15629.0000 The rule doesn't ever get the node and port. Did you encounter the same problem? I think they may have changed the behavior of this property in a recent update, so this may not have been a problem when this rule was written.
JRahm
Admin
Oct 24, 2006
It worked verbatim when I tested, but that was 18 months ago. We never implemented this code in production, so I'm not sure if there have been changes to the application behavior or not.

Forum Discussion

Terminal Server Persistence

Recent Discussions

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

full-proxy HTTP2

Related Content

Secondary persist method

Duplicate persistence entries in persistence table

Default gateway pool persistence

Persistence issue

SSL-Termination Persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS