Hello all, I require universal persistence based upon a XFF header value, but for any source IP. The scenario is that an initial client connection hits the F5 and is load balanced to node A (the F5 need to persist to a member in poolA using XFF value received or inserted). Then a back end server makes a connection to the F5 and sends the XFF value that was originally received from the client, targets the same VS but a different poolB. This connection must persist to the same node A as in the separate connection from the client. Is this possible using persist lookup functions?

Hi ajohnson, please elaborate a little bit more details on your pool/member setup? E.g.: Are both pools using the same set of members but with different ports? Cheers, Kai

Hello Kai, thanks for the quick response. So there will be 1 VIP (using proxypass for selecting the target pool). There will be 2 or more pools with the same members to different ports. Client connection is sent to poolA nodeA (XFF value is used to persist to nodeA). A separate connection from a server needs to be sent to the same nodeA but in poolB, using the XFF header value for persistence. Kind Regards

Hi ajohnson, Can you please add dummy IPs and ports to this logic? Client connection: (SRC_IP: 0.0.0.0/0) -VS: X.X.X.X:XXX -PoolA -Member1: X.X.X.X:XXX -Member2: X.X.X.X:XXX Backend Connection: (SRC_IP: only from Member1 or Member2 to VS2?) -VS: X.X.X.X:XXX -PoolB -Member1: X.X.X.X:XXX -Member2: X.X.X.X:XXX Cheers, Kai

Client connection: (SRC_IP: 99.99.99.1/32) -VS: 10.10.10.1:443 (using proxypass to determine pool) -PoolA -Member1: 1.2.3.4:994 - selected as target -Member2: 1.2.3.5:994 Backend Connection: (SRC_IP: 1.2.3.4/32) -VS: 10.10.10.1:443 (using proxypass to determine pool) -PoolB -Member1: 1.2.3.4:499 - this needs to be targeted -Member2: 1.2.3.5:499

Hi ajohnson, this setup will be somewhat complicated then and requires other/additional coding techniques than using [persist] to team the instances. What is the reason to forward the backend connection to your F5 if the DST_IP is always the orginating SRC_IP? It would be much easier if the service on 1.2.3.4:994 will always directly connect to 1.2.3.4:499 (aka. 127.0.0.1:499) and the service on 1.2.3.5:994 will always request to 1.2.3.5:499 (aka. 127.0.0.1:499 too)... Beside of that, it would be good to know how your iRule/LTM Policy configuration selects the different backend pools based on the incomming HTTP requests? Cheers, Kai

Universal persistence using header values for multiple client IPs.

11 Replies

Kai_Wilke
MVP
Feb 09, 2017
Hi ajohnson,

Match across services will not work as the client is not the same and therefore the target pool member selection and resultant persistence entry will be completely independent.

The
[persist uie]
method isn't aware of the client. It will create/query persistence information based on a free-text values which would in your case either the
[IP::client_addr]
-string value if a client connects, or the
X-Forwarded-For=[IP::client_addr]
-string value if the backend system connects. This approach WILL team the connections accordingly even if the underlying connection is comming from different SRC_IPs.

The
Match across services
option is mandatory in your specific case and allows LTM to resolve persistence entries in a X.X.X.X:any style, so that an existing persistence record for poolA:1.2.3.4:994 can be reused to persist request to poolB:1.2.3.4:499.

If you've doubts, then build a lab environment, apply the
[persist uie]
iRule at the buttom of this thread and check if the persist information for 1.2.3.4:994 (entry will be shown in the persist table) will be reused for acces to 1.2.3.4:499 (no additional entry will be shown in the persist table). In addition perform failovers as needed and notice that (for an example) a connection to poolA:1.2.3.4:994 will create a persist entry for poolA:1.2.3.4:994 and that this entry will become overwritten (via Force Offlines of poolB:1.2.3.4:499) to poolB:1.2.3.5:499 and which will cause the initial connection to poolA:1.2.3.4:994 to automatically fail over to poolA:1.2.3.5:994.

Client makes a connection to the F5, the F5 sets a persistence record to a pool member based upon XFF or another header I insert (maybe containing the selected pool member). Then when the server makes it's connection the F5 will see either the preserved XFF value (or the headre value for the selected pool member in the first connection) and will target the same IP.

See the
[persist uie]
iRule at the buttom of this thread. It does exactly what you've asked for... 😉

Cheers, Kai

Forum Discussion

Universal persistence using header values for multiple client IPs.

11 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

XFF Universal Persistence iRule

F5 XC – Persistence and Resiliency pt. I (persistence)

Using n8n To Orchestrate Multiple Agents

Universal Persistence iRule based upon ASP.NET SessionId

Universal Persistence with X-forwarder

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS