LTM honoring Session Cookie set by another LTM

Question

We have an application which is GTM-enabled, and has virtual servers in two different data centers on two independent LTM pairs (10.2.0). The virtuals are being load-balanced by the GTM with Round Robin. Now the application requires Cookie Persistence to be maintained across LTMs. Both virtuals use Session cookies with the "HTTP Cookie Insert" method.&nbsp;
&nbsp;Based on our testing, it seems that one LTM will honor the session cookie set by another LTM. This makes sense after I decoded the cookie and found that the value of the cookie is simply the address and port of the pool member. We have successfully combined this Cookie behavior with some Priority Activation trickery in an iRule to selectively enable SNAT when a pool member is not local to the LTM.&nbsp;
&nbsp;The question we are asking ourselves is whether or not this supported behavior, is it more of a coincidence that we can take advantage of, or is it something that we are cautioned against using?&nbsp;

hooleylist · Answer

Hi SMP, &nbsp;
&nbsp; This is expected and supported as the persistence cookie value is an encoding of the pool member IP:port.  The cookie name is by default set with the pool name.  As long as the pool name is the same for both LTMs this will work fine.  If the pool name is different but the member addresses and ports are the same, you could create a custom cookie insert persistence profile on each LTM pair with the same custom cookie name&nbsp;&nbsp;
http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html
&nbsp;&nbsp;
 Aaron

l4l7_53191 · Answer

SMP: this is by design, and is one of the reasons why I love using this method for persistence. It's essentially offloading the persistence record to the client, which means that it's now portable across setups exactly like yours.  
&nbsp;  
&nbsp; Rock on, it'll work - good design work, as usual :) 
&nbsp;  
&nbsp; --Matt

smp_86112 · Answer

L4L7 - long time no speak. Nice to hear from you again.
Thanks for the feedback guys. I just realized I never completed this thought. Here's where we were planning to go with this idea. We set up VIPs on each LTM pair which are configured with the same Pool names. The Pools are configured with the same members - some from each data center. The priority of the members in the LTM's internal VLAN are set higher (and equal) than the members in the remote data center. Setting the priority in this way ensures new connections are load-balanced only to the local data center under normal conditions.
Then we apply this logic to an iRule on both VIPs:
when LB_SELECTED {
  if { [LB::server priority] == 0} {
    snat automap
  }
}When a client connection with a cookie referencing a remote pool member comes in, it seems to fire the LB_SELECTED event. So we look at the priority and only SNAT when the member is in the remote data center (i.e. has the lowest priority). We can then use GTM Round Robin load-balancing which gives us the best load distribution, without losing client Persistence.
See any flaws with that configuration?

Forum Discussion

LTM honoring Session Cookie set by another LTM

3 Replies

Recent Discussions

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

Related Content

DevCentral 2024 - Share Another Day

Ending an APM session when browser tab is closed

Another Bash script to backup a BIG-IP device.

Agility sessions announced

pool members can't connect to another Virtual Server