iRule and Cookie persistence

Question

Hello DevCentral,
I am experiencing an issue where when my iRule is applied to my VS that has cookie persistence applied. Users are complaining that they are getting kicked out of their sessions randomly as they click through the web page. I believe what is happening is that when the the user establishes a connection with the VS, the iRule is not keeping track of which server in the pool the session was tied to. So when they click forward through the page the iRule will sometimes direct their request to the other pool member in the pool. How do I tell the iRule to make sure the user always hits the same server for the same session? Im reading about the "persist" option but am not quite sure how to write it into the iRule.
As a work around we disabled one of the web servers in the pool to guarantee all individual sessions go to the same pool member. Ive pasted the iRule syntax below. The iRule basically states "if the URI contains the word "resources" then send the request to the NGNX Pool (pool_atlprdngn170-a) , otherwise send it to the web pool (pool_atlprdweb170-a)."
Ive attached relevant configs below. Thanks:
ltm virtual virt_www.abc-xyz.com_443 {
        destination 10.110.8.37:https
        ip-protocol tcp
        mask 255.255.255.255
        persist {
            encrypted_cookie {
                default yes
            }
        }
        pool pool_atlprdweb170-a
        profiles {
            http { }
            prof_www.abc-xyz.com {
                context clientside
            }
            tcp { }
        }
        rules {
            irule_block_heartbeat_from_external_IPs
            irule_abc_net_only_any_sso_call
            irule_atlprdweb170-a
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
        vs-index 114

ltm pool pool_atlprdweb170-a {
    members {
        atlprdweb17001:webcache {
            address 10.110.14.186
            session monitor-enabled
            state up
        }
        atlprdweb17002:webcache {
            address 10.110.14.187
            session monitor-enabled
            state down

ltm rule irule_atlprdweb170-a {
        when HTTP_REQUEST {
     if { [HTTP::path] matches_regex "^/resources/.*" } {
       pool pool_atlprdngn170-a
     } else {
       pool pool_atlprdweb170-a
 }

jrahm · Answer

cookie persistence is passive and does not need iRule intervention. What kind of profile is prof_www.gsb-docs.com?&nbsp;

ccraddock_33000 · Answer

That is an SSL profile, Client side for the SSL cert. &nbsp;

withf5 · Answer

What you can try is activate the Match Accross... I would suggest you try Match Across services first... you have to activate it in the persistence profile.&nbsp;
https://support.f5.com/csp/article/K5837&nbsp;
Depending on the bigip version you are using ,it is only possible enable that by TMSH.&nbsp;

ccraddock_33000 · Answer

WithF5,&nbsp;
Thanks for this! I think the Match Across Pools option may be what I'm looking for. Again, what I think is happening is that everytime the user clicks through the web portal, the request is matching the iRule Logic, sometimes the request for the same session hits the same pool member, and sometimes it doesn't and gets redirected to the other pool member. Is there any way to see which pool member a particular session is assigned to? &nbsp;

jrahm · Answer

you can decode the cookie values to determine destination. I think the likely issue is the lack of a oneconnect profile on your virtual server. Without oneconnect, the initial request in the tcp connection is load balanced to server A, and all subsequent requests within that tcp connection will also go to server A regardless of persistence because BIG-IP typically load balances connections, not requests. OneConnect overrides that behavior by effectively detaching the server side of the connection and forcing a load balancing decision on every request.¬†
You can read more about OneConnect and HTTP here.¬†

Forum Discussion

iRule and Cookie persistence

8 Replies

Recent Discussions

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

Related Content

Cookie Encryption

Cookie

How to Identify type of Cookie Persistence ?

Cookie persistence Irule

View persistence table data