Is there a specific example of how to employ the "wlnode" function to allow for Weblogic persistence? I am working to configure persistence via the JSESSIONID when cookie persistence is not available. I have built a rule that parses out the JSESSIONID from the HTTP_RESPONSE and enters that into the persistence table, but it appears there might be a simpler option. Thanks, Sagen

Here is what I have developed so far as way to persist based on the issued JSESSIONID: rule WeblogicJSessionPersist { when HTTP_RESPONSE { set key [HTTP::cookie "JSESSIONID"] set value [IP::server_addr]:[TCP::server_port] if {$key != ""} { log local0. "Adding jsess of: $key, value of: $value" session add uie $key $value set value2 [session lookup uie $key] log local0. "Re-looking up key: $key, provides value: $value2" } } when HTTP_REQUEST { set jsess [findstr [HTTP::uri] "jsessionid" 11 ;] log local0. "Entering REQUEST, jsess is: $jsess" if { $jsess != "" } { set server [session lookup uie $jsess] log local0. "Server IP is: $server" if { $server != "" } { pool Weblogic_HTTP_Pool member $server } } } } I know it's not the most efficient way of doing the job, but the limited testing I have done so far seems to indicate that it's a good start. Any suggestions for making this work in a more streamlined manner would be much appreciated.

I don't see that you're using value2, was this just for error checking while building the rule? This is very cool, I was just approached about this ability. Thanks for posting. Jason

This is an interesting rule. The interesting aspect of it is that you have re-implemented persistence using the session table. Way to go. However, a slightly simpler approach may be to just do the following with persistence: rule WeblogicJSessionPersist { when HTTP_RESPONSE { if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] } } when HTTP_REQUEST { set jsess [findstr [HTTP::uri] "jsessionid" 11 ";"] if { $jsess != "" } { persist uie $jsess } } }

On another note, to be more complete, you may want to check for a client cookie and only use the uri query string if the cookie isn't present. Here is an update: rule WeblogicJSessionPersist { when CLIENT_ACCEPTED { set add_persist 1 } when HTTP_RESPONSE { if { [HTTP::cookie exists "JSESSIONID"] and $add_persist } { persist add uie [HTTP::cookie "JSESSIONID"] set add_persist 0 } } when HTTP_REQUEST { if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } else { set jsess [findstr [HTTP::uri] "jsessionid" 11 ";"] if { $jsess != "" } { persist uie $jsess } } } } I'm not totally sure this is what you want to do, but it potentially makes sense to me. You may also want to reverse the order, as in, look for the uri query string and use that first and then fallback to the cookie. Let us all know how it turns out. I'm sure there's a few people that would like to know whether this works great.

Does BigIP purge the persistence table of entries to servers that have been marked down, or would this validation need to be checked in the iRule before persisting?

wlnode function | DevCentral

19 Replies

Wes_98712
Nimbostratus
Nov 11, 2006
What would be really interesting is to figure out if the client browser doesn't accept the cookie, to write the JSessionID to the URL as part of the query string. There are folks that turn off cookies in their browser, so in this instance, how could we ensure they persist to the same SessionID but not in the browser, in the URL. You capture this in the HTTP_REQUEST portion of the code, where you set the jsess variable, which it looks for the ID in the URL, question is, how does it get there?

I know weblogic I believe at times will default the ID to the URL if it knows the browser blocks it, in which case you'd see that jsess findstr work great, but what about other servlet engines like JBoss?

I'm going to play around with this iRule and see if I can figure out how to force it into the URL, just to see if it's possible (meaning, the client denies the cookie, so default to the URL).

Leslie_South_55

Nimbostratus

Nov 13, 2006

We have solved this issue by using the following rule, there is no persistence in the persistence table, but so far it appears to work based on the logging info and the server assigned

when HTTP_REQUEST {
set reqpath [HTTP::path]
log local0. "HTTP Request path is $reqpath"
if { [HTTP::cookie exists "ltmcookie"] }{
log local0. "Cookie found"
HTTP::cookie decrypt "ltmcookie" "ltmcookiepassword"
log local0. "Cookie decrypted"
set vipid [lindex [HTTP::cookie ltmcookie] 0]
set poolid [lindex [HTTP::cookie ltmcookie] 1]
set serverid [lindex [HTTP::cookie ltmcookie] 2]
set portid [lindex [HTTP::cookie ltmcookie] 3]
use pool $poolid member $serverid $portid
log local0. "Sending request to pool $poolid, member $serverid, port $portid"
persist cookie
log local0. "Cookie persist instruction passed"}
else {
log local0. "Cookie NOT found"
use pool pool_my-http-pool
}
}
when HTTP_RESPONSE {
log local0. "HTTP Response path is $reqpath"
if { $reqpath eq "/"} {
HTTP::cookie insert path / name ltmcookie value [concat [virtual name] [LB::server]]
log local0. "Creating cookie"
HTTP::cookie encrypt "ltmcookie" "ltmcookiepassword"
log local0. "Encrypting cookie"
}
elseif { $reqpath eq "/SEUILibrary/controller/Customer:Enter"} {
HTTP::cookie insert path / name ltmcookie value [concat [virtual name] [LB::server]]
log local0. "Creating cookie"
HTTP::cookie encrypt "ltmcookie" "ltmcookiepassword"
log local0. "Encrypting cookie"
}
elseif { $reqpath eq "/SEUILibrary/controller/checkout.workflow:StartCheckout"} {
HTTP::cookie insert path / name ltmcookie value [concat [virtual name] [LB::server]]
log local0. "Creating cookie"
HTTP::cookie encrypt "ltmcookie" "ltmcookiepassword"
log local0. "Encrypting cookie"
}
}

JRahm
Admin
Nov 13, 2006
glad to hear it! You won't see cookie persistence in the table. Because all the information needed to persist is in the cookie, there is no need to build a table for it.
JRahm
Admin
Nov 13, 2006
BTW, the persist cookie command shouldn't be necessary because you are specifying where the traffic is going in this statement:

use pool $poolid member $serverid $portid
Leslie_South_55
Nimbostratus
Nov 13, 2006
Functionally, this rule is working as expected, but it's taking a toll on the CPU. I am running this on a 6400 with 2 procs, and 4 GB of RAM, ver 9.2.3 build 142, and when our App Team runs a load of 400 users against the VS, the TMM cpu runs at 50%; I have seen the TMM CPU hit 100% when they throw 800+ users at it.

Along with this rule, I am running a HTTP URI completion rule as well as a HTTP to HTTPS redirect rule; the HTTPS VS uses the same pool as the HTTP VS, but I am terminating SSL on the LTM, so I thought this was the best way to handle it.

Any idea why my CPU is getting hit so hard?
JRahm
Admin
Nov 13, 2006
You can use the timing on command to help isolate. Try not encrypting/decrypting the cookie and see what that does to your performance.
Wes_98712
Nimbostratus
Nov 13, 2006
How many SSL TPS licenses are you licensed for? If you are doing 800+ but only the default SSL license, I have seen v9 and v4 tank because you hit the SSL TPS limit (e.g. how many net new parallel SSL connections are allowed to be created per second).

Just a thought. On a pair of 6400's you shouldn't have any issues with the irule you just sent through, encrypting and decrypting the cookie shouldn't take a toll on pair of 6400's, those are some heavy duty appliances.

-Wes
Leslie_South_55
Nimbostratus
Nov 14, 2006
have the performance pack which includes 5000 TPS, plus the caching and compression. F5 has told me that the iRule could be causing the issue. So I am rolling back to Cookie Insert prsistence to see if I can simplify things. I did disable the encryption of the cookike and F5 has told me that this is a know issue and there is a CR (CR59772)to fix this.

I am beginning to think that 9.2.3 has bugs in it, because I periodically see reference's in my log pointing to rules or pools that I have deleted from the config, and the answer is 'bigstart restart'
Deb_Allen_18
Historic F5 Account
Nov 15, 2006
I've experienced the last as an artifact of connection management when editing the config file directly, then re-loading.

Old instances of the iRule will still be in effect for connections begun before the iRule was edited.

To avoid that, I prefer to edit iRules in the iRules Editor (Click here)(or you can edit in the GUI).

If you really must edit the bigip.conf file directly, as an alternative to "bigstart restart tmm", you can instead run "bigpipe conn delete" to clear the connection. ("b conn help" for syntax)

HTH

/deb

Forum Discussion

wlnode function

19 Replies

Introducing the F5 Application Study Tool (AST)

Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance

Recent Discussions

Change Content-Type from application/octet-stream to multipart/form-data

f5 AI Gateway pii-redactor not working

Terraform apply failures - loadbalancer_type.https.port_choice

F5 BigIP APM VPN some LDAP field are base64 encoded

Problem with sending BotDefense logs to remote server

Related Content

iRule procs (functions)

F5 Cloud-Native Functions For Secure DNS

F5 Cloud-Native Functions For Modern Demands - Part 1

F5 Cloud-Native Functions For Modern Demands - Part 2

OWASP Tactical Access Defense Series: Broken Function Level Authorization (BFLA)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS