I need to create an IRule that will do a cookie insert and I can't use other cookie persistant functions. There are two different services set up (443 & 80) for the same virtual server, a user may start on port 80 and then be redirected to port 443, I need the persistant cookie to be retained from port 80 to port 443. Has anyone done anything like this?

I'm thinking you could define the nodes on port any (0) and then use the standard cookie insert persistence profile, but I haven't tested this. Else, you could try referring to this related post: Click here Aaron

The nodes aren't where the port is defined, our configuration defines that at the Virtual Server level. I have two virtual servers, one for port 80 & one for port 443. The VServer for Port 80 has a cookie insert profile and has an iRule that directs it up to SSL. Then the second VServer serves up the SSL traffic but the cookie that was inserted at port 80 is not maintained. Let me know if this doesn't make sense, this is my first time posting.

If the VIPs are configured on the same IP address (and domain), you could define the nodes on port 0 and use the same pool for both VIPs. Then configure cookie insert persistence on both VIPs. I believe this should work as the persistence entry in the cookie is recording the node's IP address and service that a request is load balanced to (not the VIP's port). The VIPs need to be on the same IP address or domain so that the client will present the cookie when requests go to the HTTPS VIP. Aaron

Unfortunately, can't define the node to port 80 since we're using the Big-IP for SSL termination. Since we are SSL terminating, we need the defined endpoint.

If you define the port on a single pool to 0 and disable address translation, the connection to the pool will be made using the same destination port as the VIP. So if you have two pools currently: one on port 443 and the other on port 80, you could replace them with a single pool on port 0. The persistence record added to the cookie will then be valid for both VIPs. On the other hand, if you're leaving the traffic from the 443 VIP decrypted to the node, you should be able to use just one pool defined on port 80. If neither of these scenarios are accurate, please provide more detail on what you have configured and what you require. Thanks, Aaron

Cookie Insert Persistance - Same V Server, different Service

13 Replies

dennypayne
Employee
Jul 21, 2006
Try using a http profile that has the "Persist across virtual servers" and "Persist across virtual services" checkboxes enabled.

Denny
Susan_Cahill_82
Nimbostratus
Jul 22, 2006
Unfortunately we don't have that option. We're running version 9.2.3 and the Match Across Server option is not available for cookie insert profile. The only cookie method that will Match Across Servers is Hash.
hooleylist
Cirrostratus
Jul 22, 2006
Hi,

"match across" functionality was never actually available for anything but hash persistence, but the CLI/GUI errantly allowed it to be configured. This was fixed in 9.2.x as noted in CR54410.

I went through and tested using cookie persistence on two VIPs on the same virtual address:

VIP1:443 -> client SSL profile -> pool1:80

VIP1:80 -> iRule to redirect requests to /redirect to HTTPS, else use pool1:80

I made a few requests to VIP1:80 that didn't match the redirect rule, so a persistence cookie would be set. I saw the following cookie set by the BIG-IP:

BIGipServerhttp_200_2_node_pool=1090526636.20736.0000; path=/

The cookie value can be calculated using the following formula:

You can perform the encoding using the following equation for address (a.b.c.d):

d*(256^3) + c*(256^2) + b*256 +a

The way to encode the port is to take the two bytes that store the port and reverse them. Thus, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.

I then made a request which was redirected by the rule to HTTPS://[HTTP::host]. The browser still presented the cookie as the HTTP host of the cookie matched the requested host. The request was persisted to the same node in pool1:80.

At this point, I don't think this is an iRule issue (or even a persistence issue), as persistence is working as expected.

I talked with the person in Support who was working on your case and gave them this info. I asked them to contact you to get more debug information to help solve this problem. If you have any questions, please refer to the case.

Thanks,

Aaron

Forum Discussion

Cookie Insert Persistance - Same V Server, different Service

13 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Persistent and Persistence, What's the Difference?

Provide Content of different Webapps with one Virtual Server

Decoding the IPv4 address from the persistence cookie

Copper SFP Differences

F5 Distributed Cloud Origin Server Subset Rules