source addr persistence and member selection across pools

Question

Hi&nbsp;&nbsp;I am at a customer that have a problem with cookie persitence.  I can solve this by using source address affinity persistence instead, but I have question if this can cause a problem in this scenario:&nbsp;&nbsp;&nbsp;The have one VS, and with iRule clients are send to the right pool based on URI.&nbsp;They have 5 different pools that the client can be send to. All the pools have the same two members.&nbsp;&nbsp;&nbsp;If member 1 fails in pool1, but active in all other pools, and if member 2 fails in pool 2, but active on other pools. Will this cause a problem when I enable Match across pools ?&nbsp;&nbsp;&nbsp;The real question is. Can I use source address affinity persistence even if there are several pools under one VS, and the pools have the same members without causing problems for several users that come from a NAT adr?&nbsp;&nbsp;&nbsp;Regards&nbsp;Bjarne&nbsp;

nitass · Answer

it seems to be okay for me. i am running 10.2.3. please let me know if i missed anything. 
  
 [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   persist mypersist
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b profile mypersist list
profile persist mypersist {
   defaults from source_addr
   mode source addr
   timeout indefinite
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        log local0. "client: [IP::remote_addr]:[TCP::remote_port]"
        log local0. "host: [HTTP::host]"
        log local0. "uri: [HTTP::uri]"
        if {[HTTP::uri] equals "/test1"} {
                pool foo1
        } else {
                pool foo2
        }
}

when LB_SELECTED {
        log local0. "pool: [LB::server pool]"
        log local0. "member: [LB::server addr]"
}

when LB_FAILED {
        log local0. "just in case"
}

when HTTP_RESPONSE {
        log local0. "server: [IP::remote_addr]:[TCP::remote_port]"
}
}

[root@ve1023:Active] config  b persist show all
No Persistence Table Entries were found.

[root@ve1023:Active] config  curl -I http://172.28.19.79/test1
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 05:27:48 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:44874
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /test1
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo1
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  5 21:27:34 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 4sec

[root@ve1023:Active] config  curl -I http://172.28.19.79/other
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 05:28:13 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:44903
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /other
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo2
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  5 21:27:58 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 29sec
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 5sec

[root@ve1023:Active] config  b pool foo1 member 200.200.200.101:80 monitor fake
[root@ve1023:Active] config  b pool foo1 |grep -i pool\ member
+-&gt; POOL MEMBER foo1/200.200.200.101:80   inactive,down
+-&gt; POOL MEMBER foo1/200.200.200.102:80   active,unchecked

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 113sec
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 89sec

[root@ve1023:Active] config  curl -I http://172.28.19.79/test1
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 05:28:30 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:35084
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /test1
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo1
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.102
Dec  5 21:29:36 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.102:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.102:80   age 5sec
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 103sec

[root@ve1023:Active] config  curl -I http://172.28.19.79/other
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 05:30:32 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:35155
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /other
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo2
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  5 21:30:18 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.102:80   age 49sec
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 7sec

bjarne_10209 · Answer

Thanks for replay nitass. 
&nbsp;  
&nbsp; Forgot to mention that I will use the Match Across pools option. I can see that there is no problem when not using this option, but when it is enabled I wonder what would happen when you use the same member inn all of the pools. If I only got two members, and one will fail in one pool, and the member fails in another pool. Will the user behind the NAT addr. be moved between the member constantly, and the effect will that the persitence will fail.

nitass · Answer

If I only got two members, and one will fail in one pool, and the member fails in another pool. when saying failing, what does it really mean? is pool member marked down by heath monitor (pool member is down on one pool but up on another pool)? if yes, i understand traffic will still be directed to that pool member on another pool (which is up) because of match across pool setting. 
  
 Match Across Pools 
 The Match Across Pools option allows the BIG-IP to use any pool that contains a persistence record for that specific client. You must proceed cautiously when using this option, as it can direct a client's request to a pool that is not specified by the virtual server. 
  
 sol5837: Match Across options for session persistence  
 http://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837.html 
  
 e.g. 
  
 [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   persist mypersist
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b profile mypersist list
profile persist mypersist {
   defaults from source_addr
   mode source addr
   timeout indefinite
   across pools enable
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        log local0. "client: [IP::remote_addr]:[TCP::remote_port]"
        log local0. "host: [HTTP::host]"
        log local0. "uri: [HTTP::uri]"
        if {[HTTP::uri] equals "/test1"} {
                pool foo1
        } else {
                pool foo2
        }
}

when LB_SELECTED {
        log local0. "pool: [LB::server pool]"
        log local0. "member: [LB::server addr]"
}

when LB_FAILED {
        log local0. "just in case"
}

when HTTP_RESPONSE {
        log local0. "server: [IP::remote_addr]:[TCP::remote_port]"
}
}
[root@ve1023:Active] config  b pool foo1 list
pool foo1 {
   members {
      200.200.200.101:80 {}
      200.200.200.102:80 {}
   }
}
[root@ve1023:Active] config  b pool foo2 list
pool foo2 {
   members {
      200.200.200.101:80 {}
      200.200.200.102:80 {}
   }
}

[root@ve1023:Active] config  curl -I http://172.28.19.79/test1
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 11:42:23 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config 
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:34194
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /test1
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo1
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  6 03:42:09 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 56sec

[root@ve1023:Active] config  curl -I http://172.28.19.79/other
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 11:43:50 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:60193
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /other
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo1
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  6 03:43:36 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 19sec

[root@ve1023:Active] config [root@ve1023:Active] config  b pool foo1 member 200.200.200.101:80 monitor fake
[root@ve1023:Active] config  b pool foo1|grep -i pool\ member
+-&gt; POOL MEMBER foo1/200.200.200.101:80   inactive,down
+-&gt; POOL MEMBER foo1/200.200.200.102:80   active,unchecked

[root@ve1023:Active] config  curl -I http://172.28.19.79/other
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 11:48:35 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  6 03:48:20 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:47676
Dec  6 03:48:20 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  6 03:48:20 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /other
Dec  6 03:48:20 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo2
Dec  6 03:48:20 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  6 03:48:21 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 18sec

[root@ve1023:Active] config  curl -I http://172.28.19.79/test1
HTTP/1.1 404 Not Found
Date: Tue, 06 Dec 2011 11:49:06 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@ve1023:Active] config  
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: client: 172.28.19.80:47730
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: host: 172.28.19.79
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule HTTP_REQUEST: uri: /test1
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: pool: foo2
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule LB_SELECTED: member: 200.200.200.101
Dec  6 03:48:52 local/tmm info tmm[8145]: Rule myrule HTTP_RESPONSE: server: 200.200.200.101:80

[root@ve1023:Active] config  b persist show all
PERSISTENT CONNECTIONS
|     Mode source addr   Value 172.28.19.80
|        virtual 172.28.19.79:80   node 200.200.200.101:80   age 17sec

Forum Discussion

source addr persistence and member selection across pools

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

source address persistence maximum session timeout

GTM Selective Persistence

Decoding the IPv4 address from the persistence cookie

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

Selective DNS Persistence on GTM