Need assitance in applying URI based customized persistence profile through iRule

Question

We are looking to apply jsessionid based persistence profile for specific URI. However we have created jsessionid persistence profile through iRUle. But unable to apply this for a specific URI request on VIP.&nbsp;
VIP has the default cookie persistence applied to it. But we would like to persist the session for specific URIs : /abc* with customized jsessionid based persistence profile.&nbsp;
Tried with below option but no help, this considers 'JSESSIONID_Persistence' as its KEY for the persistence but not uses this customized persistence profile.&nbsp;
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/abc*" {
pool pool_abcservers
persist uie JSESSIONID_Persistence
}&nbsp;
Thanks,
Rajendra&nbsp;

matt_breedlove_ · Answer

Hi Rajendra,&nbsp;
You can do both types of persistence on the same VS, but you will probably want to remove the persistence from the VS itself and rely on the IRULE to do all the persistence.&nbsp;
In the irule this is easy to do. You can isolate the persistence in the logic of the irule and  tell the current connection to persist on JSESSIONID or on cookie persistence depending on the condition.
Let me know if you need more help with getting this implemented. If you can paste the current irule/VS config you are working with, that could be helpful&nbsp;
Thanks
Matt&nbsp;

rajendra_129865 · Answer

Thanks Matt for your suggestion. Below I have listed the entire VIP configuration example. I also tried to use the below statements in rule1 for specific URI persistence. This worked for only login and application login and logout session.  But traffic related to any process done after logging to the application, used to load balance among the pool members and application breaks.

"/abc*" { 
  if { [HTTP::cookie exists "JSESSIONID"] } {
    persist uie [HTTP::cookie "JSESSIONID"] 300
  }
  pool pool_abcservers 
 }

when HTTP_RESPONSE {
    if { [HTTP::cookie exists "JSESSIONID"] }  {
       persist add uie [HTTP::cookie "JSESSIONID"]
    }
}

*********************************
virtual vs_X.X.X.X_https {
   snatpool Automap
   pool defaultapp_pool
   destination X.X.X.X:https
   ip protocol tcp
   rules {
      rule1
      rule2
      rule3
   }
   persist cookie_encrypt
   profiles {
      http_xforward {}
      oneconnect {}
      tcp {}
      Client_SSL {
         clientside
      }
   }
}

rule rule1 {
when HTTP_REQUEST { 
 switch -glob [HTTP::uri] { 
  "/abc*" { 
  pool pool_abcservers 
  persist uie JSESSIONID_Persistence 
 }
 "/xyz*" {
 pool pool_xyzservers
 }
 "/bcd*" {
 pool pool_bcdservers
 }
}  
}
}

rule rule2 {
when HTTP_REQUEST {
set host [string tolower [HTTP::host]]
if {($host contains "abc.example.com") } {
node 1.2.3.4 8001
}
}
}

rule rule3 {
   when HTTP_REQUEST {
   set host [string tolower [HTTP::host]]

if {   ($host contains "qa-fs") or ($host contains "qa-sg")  } then {
node 10.10.10.25 80
} elseif {  $host contains "qa-fs.examblog" } then {
node 10.10.10.25 90
} elseif {  ($host contains "dev") or ($host contains "dev-exam") } then {
node 10.10.10.35 80
} elseif {  $host contains "dev.examblog" } then {
node 10.10.10.35 90
               }
 }
}
*********************************

nitass · Answer

This worked for only login and application login and logout session.  But traffic related to any process done after logging to the application, used to load balance among the pool members and application breaks.

do all the uri after logging in start with /abc?
is it possible the request after logging in matches more than one condition in the irules?
have you tried tcpdump/ssldump to see what is going on exactly? you have private key to decrypt traffic, haven't you?
e.g.
 tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y or host z.z.z.z -v

x.x.x.x is virtual server ip
y.y.y.y is pool member ip
z.z.z.z is another pool member ip

by the way, i think the rule1 should look like this.
when HTTP_REQUEST { 
  switch -glob [HTTP::uri] { 
    "/abc*" { 
      if { [HTTP::cookie exists "JSESSIONID"] } {
        persist uie [HTTP::cookie "JSESSIONID"] 300
      }
      pool pool_abcservers 
    }
  }
}
when HTTP_RESPONSE {
  if { [HTTP::cookie exists "JSESSIONID"] }  {
    persist add uie [HTTP::cookie "JSESSIONID"]
  }
}

nitass_89166 · Answer

This worked for only login and application login and logout session.  But traffic related to any process done after logging to the application, used to load balance among the pool members and application breaks.

do all the uri after logging in start with /abc?
is it possible the request after logging in matches more than one condition in the irules?
have you tried tcpdump/ssldump to see what is going on exactly? you have private key to decrypt traffic, haven't you?
e.g.
 tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y or host z.z.z.z -v

x.x.x.x is virtual server ip
y.y.y.y is pool member ip
z.z.z.z is another pool member ip

by the way, i think the rule1 should look like this.
when HTTP_REQUEST { 
  switch -glob [HTTP::uri] { 
    "/abc*" { 
      if { [HTTP::cookie exists "JSESSIONID"] } {
        persist uie [HTTP::cookie "JSESSIONID"] 300
      }
      pool pool_abcservers 
    }
  }
}
when HTTP_RESPONSE {
  if { [HTTP::cookie exists "JSESSIONID"] }  {
    persist add uie [HTTP::cookie "JSESSIONID"]
  }
}

rajendra_129865 · Answer

Yes as of now I have applied this iRule only. Verified the tcpdump logs and found that although jsessionid is same and connection gets load balanced instead of persisting to same server.

Below is an output from LB and captured for specific Jsession ID - 14E5399BEC47CD1BED0237CD845EE225. From the output observed that although the jsessionid is same and is getting load balanced between pool members 10.247.98.34:8002 and 10.247.98.34:8003.

**************************************************
universal - X.X.X.X:443 - 10.247.98.34:8002
---------------------------------------------------
  TMM           0
  Mode          universal
  Key           14E5399BEC47CD1BED0237CD845EE225
  Age (sec.)    146
  Virtual Name  vs_X.X.X.X_https
  Virtual Addr  X.X.X.X:443
  Node Addr     10.247.98.34:8002
  Pool Name     pool_abcservers
  Client Addr   10.243.119.81

universal - X.X.X.X:443 - 10.247.98.34:8003
--------------------------------------------------------------------------------------------------------------------------------
  TMM           1
  Mode          universal
  Key           14E5399BEC47CD1BED0237CD845EE225,CRQ99077=576911114.17183.0000,path=/,secure=secure,Secure=Secure,Path=/abc,
  Age (sec.)    143
  Virtual Name  vs_X.X.X.X_https
  Virtual Addr  X.X.X.X:443
  Node Addr     10.247.98.34:8003
  Pool Name     pool_abcservers
  Client Addr   10.243.119.81

universal - X.X.X.X:443 - 10.247.98.34:8002
--------------------------------------------------------------------------------------------------------------------------------
  TMM           0
  Mode          universal
  Key           14E5399BEC47CD1BED0237CD845EE225,CRQ99077=576911114.17183.0000,secure=secure,path=/,Secure=Secure,Path=/abc,
  Age (sec.)    145
  Virtual Name  vs_X.X.X.X_https
  Virtual Addr  X.X.X.X:443
  Node Addr     10.247.98.34:8002
  Pool Name     pool_abcservers
  Client Addr   10.243.119.81
**************************************************

Forum Discussion

Need assitance in applying URI based customized persistence profile through iRule

6 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

custom response page for api

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Decoding the IPv4 address from the persistence cookie

Setting up persistence in F5 XC