cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

unexpected response from LTM

legan
Nimbostratus
Nimbostratus

Hi,

 

I experience a weird issue in our LTM iRules, which just recently came to surface. The situation is as follows.

 

I have a virtual server with no default pool selected. Pool selection is done via an iRule.

 

I have this iRule:

 

when HTTP_REQUEST { switch [HTTP::host] { "webmail.domain.com" { if {[string tolower [HTTP::uri]] eq "/"} { HTTP::redirect "https://webmail.domain.com/owa/" } if {[string tolower [HTTP::uri]] starts_with "/microsoft-server-activesync"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/autodiscover"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/public"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/owa"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/exchange"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/ecp"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/rpc"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/oab"} { pool "webmail.domain.com_pool" } if {[string tolower [HTTP::uri]] starts_with "/ews"} { pool "webmail.domain.com_pool" } } "autodiscover.domain.com" { if {[string tolower [HTTP::uri]] starts_with "/microsoft-server-activesync"} { pool "webmail.domain.com_pool"; HTTP::header replace "Host" "webmail.domain.com" } if {[string tolower [HTTP::uri]] starts_with "/autodiscover"} { pool "webmail.domain.com_pool"; HTTP::header replace "Host" "webmail.domain.com" } } } }

Now, when browsing to https://webmail.domain.com/blablabla, I receive a 'page cannot be displayed', which is to be expected.

When browsing to https://webmail.domain.com/owa, I receive the OWA pages of webmail, which is to be expected.

Now, when browsing within half a minute to https://webmail.comain.com/anothernonexistinguri, I receive a 404 from the backend. I also, see this in the IIS logging of the backend. This is not expected, as there's no pool selection and I also don't see a pool being selected when logging with:

 

when LB_SELECTED {  log local0. "Selected pool member: [LB::server name] for URL [HTTP::host][HTTP::uri] for client [IP::client_addr]"  }

 

When waiting for half a minute and then going back to https://webmail.comain.com/anothernonexistinguri, I receive the 'page cannot be displayed' again, which is to be expected.

 

Persistence profile is set to cookie persistence.

 

Anyone have a clue what's going on here? And what I can do the get consistent behaviour?

 

Thanks!

 

1 REPLY 1

crodriguez
F5 Employee
F5 Employee

The key is the persistence cookie. (I am assuming you have a timeout value of 30 seconds in the cookie persistence profile.) When you successfully connect to the OWA pages, the persistence cookie is sent with the response. Any subsequent requests to webmail.domain.com that occur before the cookie times out will persist rather than be load balanced, as the cookie is sent with the request to BIG-IP. This explains the 404 not found when you requested "anothernonexistinguri" within that 30 second period. That request persisted rather than load balanced.

 

If you wait until the cookie expires to send another request, then the cookie is not sent, and the request will either load be balanced, if the URI matches one of the rules in the iRule, or fail because there is no default pool, resulting in the "page cannot be displayed" sort of message.

 

You will not see a log message produced from the LB_SELECTED event if the connection persisted via the cookie. Persistence matching occurs before a load balancing decision.