iRule - Fallback Persistence
Hi - I'm trying to create an iRule for the Persistence Profile of one of my applications. The preferred method is to use cookie - the application actually injects a cookie in the HTTP RESPONSE and the F5 looks for this cookie in both the HTTP RESPONSE and HTTP REQUEST to do persistence, identical to how JSESSIONID works. However in the event that the client has configured their browser to reject / disable cookies, the expectation is that we persist based on their source IP, however as they come in to our data centre via Akamai, we actually need to extract their IP from the X-Forwarded-For header. What I came up for this was: when HTTP_REQUEST { if { [HTTP::cookie exists "App_SessionId"] } { persist uie [HTTP::cookie "App_SessionId"] 1800 } else if {[HTTP::header X-Forwarded-For] != ""} { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] 1800 } else { persist uie [IP::client_addr] 1800 } } when HTTP_RESPONSE { if { [HTTP::cookie exists "App_SessionId"] } { persist add uie [HTTP::cookie "App_SessionId"] 1800 } } I haven't had the chance to test this but reviewing the logic I see that we may have a problem with the first request cominf from the user's browser. When a user first lands on the website, the HTTP_REQUEST from their browser will not have the App_SessionId cookie and this causes the LTM to add a persistence record based on the X-Forwarded-For header, or add a persistence record based on the user's source IP address. When the request makes it to the server and the server responds ( HTTP_RESPONSE ), that response will have a App_SessionId cookie, and the LTM adds another persistence record based on this cookie. Then the subsequent HTTP_REQUEST from the users browser will have the App_SessionId cookie, and this will now match the if { [HTTP::cookie exists "App_SessionId"] } section of the iRule and they will be persisted to the same server that inserted the cookie. This is good but there's the loose end which is the initial persistence record based on the X-Forwarded-For header that's lingering. Would this lingering persistence record based on the X-Forwarded-For header cause a conflict with the persistence record based on the App_SessionId cookie? How do I clean up this loose end? On the flip side, if the user had configured their browser to reject cookies, the persistence record based on the X-Forwarded-For header is vital to maintain session consistency. But now we have the loose end of the persist add uie [HTTP::cookie "App_SessionId"] 3600 in the HTTP_RESPONSE .
WebLogic universal persistance - multiple (JSESSIONID) cookie names
Hello experts, we have a customer which uses a Java Web-Application hosted on WebLogic middleware. In the past this was quite simple, we used this iRule for managing the universal persistance: when HTTP_REQUEST { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionid=" 11] if { $jsess != "" } { persist uie $jsess 300 } } } when HTTP_RESPONSE { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } } This worked ever fine. But now the customer has multiple Java Web-Applications configured in WebLogic, each of them uses seperate Cookie names. So JSESSIONID (as before), but also new SESSIONIDA, JSESSIONIDB and JSESSIONIDC. All must be served over one Loadbalancer virtual server, we we have to manage the complexity in the iRule on the F5. Note: We can use the same selected node node for one client, but also seperate per Cookie name, so per application to another selected node in the Backend - this is not relevant. This is what I think it should work, but it doesn't. Please don't blame me regarding efficiency, I know it is worse. (But am no iRule expert.) Pure funcionality is Prio-1 for us. when HTTP_REQUEST { if { [HTTP::cookie "JSESSIONID"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } elseif { [HTTP::cookie "JSESSIONIDA"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDA"]] 300 } elseif { [HTTP::cookie "JSESSIONIDB"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDB"]] 300 } elseif { [HTTP::cookie "JSESSIONIDC"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDC"]] 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionid=" 11] if { $jsess != "" } {persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionida=" 11] if { $jsess != "" } { persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionidb" 11] if { $jsess != "" } { persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionidc" 11] if { $jsess != "" } { persist uie $jsess 300 } } } } } } when HTTP_RESPONSE { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } if { [HTTP::cookie "JSESSIONIDA"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDA"]] 300 } if { [HTTP::cookie "JSESSIONIDB"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDB"]] 300 } if { [HTTP::cookie "JSESSIONIDC"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDC"]] 300 } } I would like to thank you in advance for any hint on my problem here...
persist profile with irule
Hi, I have a virtual server and more than 2 pool. I want to use persistence profile based on pool. I have written irule shown below. Are there any mistakes or advice? when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/abc*" { pool abc_pool persist source_addr } "/xyz*" { pool pool_xyz persist cookie } "/def*" { pool pool_def persist dest_addr } } }Cookie persist Fail with One Virtual server but have many pool (different member too)
Hi I have issue with persistence cookie. My environment is I have one Virtual server and this virtual server (domain) have many Application in different server. So we choosing pool via irule like this. When HTTP_request { (don't mind syntax) if [http_uri == abc] { pool abc} pool abc have server CC,DD else if [http_uri == dfg ] {pool dfg} Pool dfg have server XX,YY else pool default { pool default} pool default have server AA,BB } Example: when Client access www.domain.com , he will go to pool default and have cookie for AA or BB. But when client click link on that page to access www.domain.com/abc , he will go to pool abc, but now cookie information will change to Server CC/DD. And this problem will make client lose session with www.domain.com (he also lose session with www.domain.com/abc if he redirect or access other page because cookie information changed) How Can I fix this? like store cookie for each pool (client have cookie_default for pool default and cookie_abc for pool abc so when he access www.domain.com and www.domain.com/abc , he won't lose session) Thank youIrule for Cookie persistence on pool
HI all, I have written an Irule as follow: Select different persistence methods by HTTP URI when HTTP_REQUEST { Check the requested URI switch -glob [HTTP::uri] { "/cares/" - "/fraud/" - "/submit/*" - "/exchange/" - "/webauth/" { Request was for an Sticky URI so select the pool and unset persistence persist cookie insert CSWEB-STICK pool CSWEB-STICK } default { Request was for an NON sticky URI so select the pool and persist with default persistance profile persist none pool CSWEB-NSTICK } } } The problem is that on the selection of the pool that should stick with a cookie persistence, it is not working. In the logs I see the following Mar 4 10:55:23 ASH1-PROD3900-01 info tmm[11443]: Rule /Common/Persistence-logger : Request from client: 172.21.81.144:57111 contains no persistence cookie on vip /Common/CSWEB-PERSISTENCE-TEST; request was assigned to pool /Common/CSWEB-NSTICK and member 10.10.97.27:443 Mar 4 10:55:32 ASH1-PROD3900-01 info tmm[11443]: Rule /Common/Persistence-logger : Request from client: 172.21.81.144:57111 contains no persistence cookie on vip /Common/CSWEB-PERSISTENCE-TEST; request was assigned to pool /Common/CSWEB-NSTICK and member 10.12.34.107:443 Mar 4 10:55:32 ASH1-PROD3900-01 info tmm[11443]: Rule /Common/Persistence-logger : Request from client: 172.21.81.144:57111 contains no persistence cookie on vip /Common/CSWEB-PERSISTENCE-TEST; request was assigned to pool /Common/CSWEB-NSTICK and member 10.12.34.108:443 AS you can see the connections bounces from one node to the other since it cannot find a "cookie" . It is assigning the default pool which has a persist none before calling it. Is there something i might be doing wrong? it looks like the F5 is NOT inserting the cookie properly or at all... any help is appreciated
Load Balancing to Only One Pool Member
I have an issue where all traffic in a pool is going to the fifth of 5 pool members. We are using cookie persistence and I know there can be issues with that. We are also using both an http and OneConnect profile. From the sols and DC articles I've read it seems like the problem will arise if you do NOT have a oneconnect profile assigned. I have tried pulling http/oneconnect/tcp profiles on and off, using default profiles. The only thing I haven't tried is falling back to source address persistence. That is a last resort I do not want to use. Due to the application architecture source address persistence will definitely result in uneven load. All the "custom" profiles are built from an F5 guide for the application (Epic HyperSpace Web; Link to Guide). That being said this config seems pretty straight forward, but any help would be very much appreciated. We have captured traffic and seen the cookies present in the sessions. Below is the config. ltm virtual /PARTITION/v_80 { destination /PARTITION/10.10.1.1:80 ip-protocol tcp mask 255.255.255.255 persist { /PARTITION/Custom-cookie { default yes } } pool /PARTITION/pool_80 profiles { /PARTITION/Custom-OneConnect { } /PARTITION/Custom-http { } /PARTITION/Custom-lan-optimized { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled } ltm pool /PARTITION/Pool_80 { description "HTTP Pool" load-balancing-mode least-connections-member members { /PARTITION/001:80 { address 10.1.1.1 } /PARTITION/002:80 { address 10.1.1.2 } /PARTITION/003:80 { address 10.1.1.3 } /PARTITION/004:80 { address 10.1.1.4 } /PARTITION/005:80 { address 10.1.1.5 } } monitor /Common/http_head_f5 service-down-action reselect } Only change to custom oneconnect profile is mask is 255.255.255.255. Only change to tcp-lan-optimized profile is the idle timeout is set to 1200s. Only change to http profile is that 'Redirect Rewrite' is set to Matching. Custom cookie persistence uses default settings.
Timeouts on cookie persistence profiles on LTM 10.2.1
Running LTM 3900, software 10.2.1. If I create a persistence cookie from the GUI, the config stanza for it looks like this: profile persist mytest { defaults from cookie mode cookie cookie mode insert cookie name "OHHAI-IAMYOURCOOKIE" cookie expiration immediate override connection limit disable } I don't see a way to specify or modify the timeout from the GUI. If I change the timeout using tmsh, I see the change in my text config but there's no change in the GUI config display. profile persist mytest { defaults from cookie mode cookie timeout 180 cookie mode insert cookie name "OHHAI-IAMYOURCOOKIE" cookie expiration immediate override connection limit disable } Is this a tmsh-only configuration option? There also doesn't seem to be a way to remove the explicit timeout from the profile config. If I try to remove it using tmsh, I get an error message 'Syntax Error: "timeout" read-only property'. Is there a way to do this?cookie persistence issue with two BiG-ip
Dear : we have issue withcookie persistence not working if the server connect to inside LTM but if server connect to outside LTM cookie persistence working client traffic From 1 to 10 Outside VS Source Address Translation : Auto Map inside VS withcookie persistence Source Address Translation : Auto Map no Cookie onclient browser forpersistence BrIssues with setting up persistence for a JDA application
We are having issues with the JDA application VIPs that some of our vendors use and it seems to be specific to vendors whose source IP changes. Right now the VIP is using source affinity persistence, but JDA is recommending that we use cookie persistence, cookie rewrite specifically. I set this up in our certification environment first and it worked as expected. We implemented the same persistence profile on the production VIP and it did not work. They said they start seeing issues with the Session ID changing. I verified that the VIP and persistence profile were identical to the certification setup. We tried this both internally and externally on the production VIP and had the same result. Has anyone worked with JDA and can offer any advice?
