Cookie Persistence and Troubleshooting
The BIG-IP persistence cookie is a valuable configuration option that allows stateful applications to remain persistent to a specific node with no additional configurations within the application or on the server(s) by doing something like clustering. I hear application development teams refer to this as “sticky session” or “stick sessions”, but in reality this cookie has nothing to do with a user’s “application” session, but has everything to do with the user’s session persistence to the same server that the application session was started on. After reading an F5 Solution article (SOL6917: Overview of BIG-IP persistence cookie encoding) and learning that the information encoded within a BIG-IP Cookie could be useful I decided to make a tool that could decipher this information quickly so that I could use it for troubleshooting. What is useful in a BIG-IP Cookie? The BIG-IP Cookie contains the IP Address of the server that the client is being persisted to, as well as the server port that the connection is being established on. So? Why is this useful? I could get that information from an iRule… True, you can get this information logged within the LB::selected event within an iRule, but that requires you to make an iRule change to gather the information that you actually already have (unless you are encrypting your BIG-IP Cookies which negate the usefulness of this tool). Most changes in Production require change management approval, which you get to bypass when using this tool if cookie persistence is configured. There are many tools that you can use to capture the persistence cookie being provided by the BIG-IP. I commonly use Fiddler2 (http://www.fiddler2.com/fiddler2/)… This is the application that I created to decipher the BIG-IP Cookies. The tool is semi-intelligent for the input. It can take any of the following and give the correct output: BIGipServerpool.ltm.ve.gamezone.com=336202250.40475.0000 336202250.40475.0000 336202250.40475 Paste the cookie into the tool and select ‘Auto-Parse’ option: This will populate the Conversion Area: Then select the ‘Decipher’ option: This becomes useful for troubleshooting purposes to determine which server you are persisted to when you are trying to determine which member server is or is not having an issue. As you can see, this correctly identified which server I was communicating with in this pool of servers: I hope that everyone finds this tool useful. If you find any issues or have any questions please feel free to contact me on DevCentral. Source Code The full source for this application can be retrieved at this link: CookietoolRelease.zip
Multiple domains to single IP
I am pointing multiple domains to a single IP on the F5. Say I have domaina.com domainb.com domainc.com and they are all pointing to 10.1.1.1 in DNS. I have an irule that will take [HTTP::host] and then decide if it is going to a virtual directory on IIS. 10.1.1.1/domaina 10.1.1.1/domainb 10.1.1.1/domainc 10.1.1.1 is the F5 server which load balances off to two IIS servers with hypothetical IPs of 10.1.2.1 and 10.1.3.1. The IIS servers are defined as nodes in the pool serving a VS for this multiple domain configuration. when HTTP_REQUEST { if { [domain [HTTP::host] 2] equals "domaina.com" } { HTTP::redirect http://[HTTP::host]domainA[HTTP:uri] HTTP::redirect http://10.1.1.1/domainA } elseif { [domain [HTTP::host] 2] equals "domainb.com" } { HTTP::redirect http://10.1.1.1/domainB } elseif {[domain [HTTP::host] 2] equals "domainc.com" } { HTTP::redirect http://10.1.1.1/domainC } } This gets everything to where I want it to go (so far, I'm new at this and I haven't tested anything except a single page yet, and there is probably a better way to do this), but, the address bar comes up with http://10.1.1.1/domainc. Since they are public-facing websites, it would be nice to maintain the http://domaina.com/domaina or ideally just http://domaina.com. When trying the commented out piece, that just results in a loop because it continues to redirect itself. Perhaps there is better logic to run the condition against, or maybe I have the wrong approach. Any ideas? It would be great to sort that out, as then you could have conceivably infinite domains running different sites from a single IP. One problem I am facing short term is that I am running out of IP addresses. It also crossed my mind to instead make virtual servers for each domain that spoke on the same IP address to the IIS servers, but different ports. Any input you might have would be most appreciated!
Run commands remotely on a BIG-IP load balancer????
Is there a way I could run commands remotely on a BIG-IP Load Balancer. I would want to run some Adminstration and Maintanence commands remotely on the BIG-IP load balancer. I would like to run the commands sitting on my Linux (or Windows) box, maybe through a shell script and get the information. Get the configuration and statistical data on the remote machine. If possible I would like to get this done without SNMP.
Mapping SNMP interface index to interface name
My iControl application is given the SNMP interface index which is a numeric value identifying a specific BIG-IP port/interface. iControl, of course, identifies interfaces by a string ("1.1", "2.1"..etc). So, I need to map this numeric value to the string. How do I do it?? I don't see any api in v4.5 of iControl to retreive the numeric index value of an interface. Are there any plans for introducing such an api in v4.6?? Thanks, Karthic.
node select expr based on server_addr
I'm going to map a server IP address (server_addr) for a wildcard virtual server to a pool member using the following node select expression: select node("192.168.0." + getfield("${server_addr}", '.', 4) + ":${server_port}") Does this syntax make any sense? Will it work? Is there more efficient way to choose a pool member IP address based on the server_addr variable? Thank you, DmitriyFind F5 machines in my network
Dose anybody knows how can I automatically search for F5 machines in my network from a Java program?. I tried to scan a F5 machine using nmap but it does not send any respond. I suppose F5 block or ignore that kind of traffic to improve the security. Can someone give me some idea?. I have thought to try to connect to the iControl portal using https for each ip, but I think ther must be a better method. Thanks: Miguel Fernandez
Hw do I save configurations on a bigip?
I can see the stuff in ConfigSync. But how does that relate to: bigpipe base save and bigpipe save It would appear that ITCMSystem.ConfigSync.save_configuration with the right flag will save either, but on the command line version the filename is different. Can I ommit the filename to use the default? If I don't specify a fully qualified path, will it go in /config?Irule to log client source IP
I am trying to log the source IP address of every request that hits a VIP on a 4.2 BigIP to a file, /var/log/ldap_clients.log on the Bigip. Right now there is no irule on the VIP, it is just using a pool. rule log_client_address { if ( client_addr != 0.0.0.0 ) { use pool corp_ldap_3895 log (dont know how from here) } else { use pool corp_ldap_3895 } } Any help with syntax and logic is greatly appreciated.
