iRule to Redirect to Another VS on the same LTM
Hi guys - I'm trying to get the following scenario working: My domain "; maps to a public IP "1.1.1.1" and I have a virtual server configured on my F5 with "1.1.1.1:443" I have two unrelated applications with competing requirements running on different URIs on the same domain , one is a HR application (/abc) and the other is a inventory application (/def) I need to create a design which accomodates both applications with a single domain name, and find a way to accomodate both their conflicting requirements under the same domain name To solve this problem, I thought that I should do something like this, on the main virtual server 1.1.1.1:443, I put in an iRule with the following code: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/abc" } { virtual VS2 } else if { [string tolower [HTTP::uri]] starts_with "/def" } { virtual VS3 } else { HTTP::respond 200 content "Unrecognised URI, please recheck your address" } } This would redirect incoming requests with "/abc" in the URI string to VS2 and incoming requests with "/def" in the URI string to VS3. Then I could create customised solutions for both applications in their respective virtual servers. So drawing this flow out, I think this is how it would look: But what I don't understand is how the Return Traffic and the Persistence Profiles work in this scenario. How do I make sure that the traffic flows this way: User to Server: User > VS1 > VS2 > Pool 2 (Server) Server to User: Pool 2 (Server) > VS2 > VS1 > User Do I do SNAT Auto Map on both VS1 and VS2 or do I just do SNAT Auto Map on VS2 with Auto Last Hop enabled? And on the question of persistence, if I intend to use source_addr persistence - I would definitely not be able to do a SNAT Auto Map on VS1, how do I then ensure that when the server responds, VS2 sends the traffic back to the user via VS1?
Fallback Persistence Profile - how it works
Hi, I don't know if this is bug or correct behavior - tested on 11.2.0 Setup: VS with Default Persistence Profile: cookie insert Fallback Persistence Profile: source address Result: First request from client (without cookie): Set-Cookie header in response setting BIGipServer... cookie Persistence Record (PR) created - makes sense because there was no cookie in client request Second request from client Cookie send in request PR timeout refreshed - could be OK as PR exists matching client IP but because Cookie is provided why it's used? Third request - after PR was manually deleted Cookie send in request PR record created Why PR is recreated when cookie exists? Which persistence is in fact used - cookie or source address? Piotr
"Always Send Cookie" problems?
Is there a downside to choosing "Always Send Cookie" in an "HTTP Cookie Insert" persistency profile? I am troubleshooting an issue with Cloudflare and a potential issue with my current F5 settings. The below is specifically called out by CF (re: the F5), but I am not 100% that it correlates to the "Always Send Cookie" setting. Per Cloudflare, via https://support.cloudflare.com/hc/en-us/articles/212794707-General-Best-Practices-for-Load-Balancing-with-Cloudflare; // Session cookies section above Cloudflare article If using HTTP cookies to track and bind user sessions to a specific application server at the load balancer, it is best is to configure the load balancer to parse HTTP requests by cookie headers and directing each request to the correct application server even if HTTP requests share the same TCP connection due to keep-alive. For example: F5 BIG-IP load balancers will set a session cookie (if none exists) at the beginning of a TCP connection and then ignore all cookies passed on subsequent HTTP requests made on the same TCP socket. This tends to break session affinity because Cloudflare will send multiple different HTTP sessions on the same TCP connection. (HTTP cookie-based session affinity).Persistence and NAT
Hello, we're using an F5 BIG IP active/passive cluster to loadbalance Always On VPN connections. To avoid asymmetric routing we're using NAT, so the VPN gateway servers will always see the same IP address for the clients. We currently have src_addr persistence profile applied which results in the same VPN gateway server recieving all the connections - can anyone tell me what the best option would be for persistence so that the connections are balanced accross the VPN servers? We did try no persistence but this resulted in connection failures on the VPN clients.Ratio (Session) and Least Sessions
Hello, I wanted to fully understand the Ratio(Session) load balancing method. I was reading the description of load balancing methods here and about the Least Session here. I came across this question in the forums, but the links are old and it doesn't provide a clear answer, I want to know what exactly is considered a session in the Ratio(session), it's mentioned for the Least sessions that it depends on a Persistence profile (least number of entries in the persistence table) to determine the sessions for each pool member, for example HTTP cookie determines the session in this case, is it the same case for Ratio(Session)? What is meant by a session exactly in the Ratio(Session) and is there a real-world example for this case? In this article, it's mentioning that Ratio(Session) is used for protocols that transmit multiple messages over the same connection, is this the same case for HTTP for example using Cookie persistence like Least Sessions? It's not very clear to me how the system will count sessions if it's not based on persistence like the Least Sessions. When I applied this load balancing method to a pool with multiple members, I noticed the requests where going to one member only. Thanks
Multiple method persistence
Hello. I need to setup load-balancing for a visio application, which is quite complex, as I don't need just to ensure session persistence for a single user, but for multiple users participating to the same conference. According to my understanding of reference documentation, I need to use an universal persistence profile (or eventually hash persistence profile, as it only differs by hashing lookup value), and write an iRule, such as: when HTTP_REQUEST { # extract roomID from room parameter in query string set roomID [getfield [URI::query [HTTP::uri] room] "@" 1 ] if { $roomID != "" } { persist uie $roomID 3600 log local0. "Using Jitsi room ID $roomID for persistence: [persist lookup uie $roomID]" } } Once a corresponding persistence profile assigned to the virtual server, it works as expected. However, I also have to ensure persistence for authentication requests, this time with more classical requirements, ie every authentication requests for a given user must reach the same pool node. I first considered the use of a fallback persistence profile (either cookie, ssl, or source address), so as to keep the irule simple. However, documentation discourage using fallback persistence for this purpose: If Fallback persistence becomes the chosen persistence method, a Default persistence entry will not be created for the client connection until the Fallback persistence idle timeout period expires. Because of this, Fallback persistence may appear to override Default persistence and may not be a good choice. See Recommendations, following, for additional information. So I added another clause in my iRule, still using uie method, but with client address as lookup key, hence reinventing simple persistence: if { [HTTP::path] starts_with "/Shibboleth.sso" } { persist uie [IP::client_addr] 3600 log local0. "Using client IP adress for persistence: [persist lookup uie [IP::client_addr]]" } According to the documentation, I may be able to mix persistence methods in a single iRule (one of the example given here mixes source_addr and cookie methods), but some of those methods (ssl, msrdp, cookie) also requires a corresponding persistence profile assigned to the virtual server. Whereas I already use an universal persistence profile. So basically, I'm a bit lost among multiple options, especially the relation between persistence profiles and persistence methods, and I have a few questions: Is there any recommended practice for using multiples persistence methods in a single iRule ? if only ssl and cookie methods require a corresponding profile, what is the interest of using an universal persistence profile, instead of just assigning the persistence irule to the virtual server ? If I'm assigning a cookie persistence profile and a persistence irule using uie method to the same virtual server, how will persistence work ? I hope I have been clear enough 🙂 Thanks for your interest.
Persistence Profile Issues
I am having an interesting issue with a persistence profile. It works wonderful in QA but is not working in production. I've created a persistence profile with the following attributes: Parent Profile Universal Mirror Persistence Enabled iRule Enabled and pointed Timeout Enabled and set to 28800 seconds The iRule: when HTTP_RESPONSE { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist add uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } when HTTP_REQUEST { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } In the virtual server instance I then set Default Persistence Profile to this new created profile. This all works wonderfully in QA and the client is persisted to one server based on their cookie value for ASP.NET. The pool names are correct, the cookie exists in both environments etc. but in production, the persistence is not taking place and the client is jumping between servers in the pool. Does anyone have ideas on this one or a path forward to troubleshoot this via clean logging that doesn't inundate the server?Loadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?
