Forum Discussion

Frojas's avatar
Frojas
Icon for Nimbostratus rankNimbostratus
Oct 16, 2017

Persistence rebalance on F5

Hi Folks,

 

Im working in the migration of a cisco CSM to F5, all the virtual servers in the CSM has "persistence rebalance", in a migration we use oneconnect profile with 255.255.255.255 mask but present a lot of problem with the web services that contains authentication in the digest.

 

Somebody has experienced something like this??, if we dont use this mechanism the connections in the real server side are to high.

 

Im working on setup a lab environment.

 

Best Regards, Felipe.

 

application delivery
BIG-IP
LTM
oneconnect

6 Replies

Sort By
  • Leonardo_Souza3's avatar
    Leonardo_Souza3
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2017

    I did a quick research about the Cisco option , and it does look similar to oneconnect. However, I don't know enough about Cisco CSM to confirm that works the same way as F5 oneconnect.

     

    With the mask of 255.255.255.255, only the same IP will reuse the connection. So, that is almost the same as not use oneconnect, in relation to what the server sees and the number of open connections.

     

    Have you tried without oneconnect?

     

    In case you have not read yet, he is the oneconnect overview solution:

     

    https://support.f5.com/csp/article/K7208

     

    • Frojas's avatar
      Frojas
      Icon for Nimbostratus rankNimbostratus
      Nov 07, 2017

      Hi, sorry for the late answer.

       

      There will be two one connect profile, one for SNAT (/24) and other without SNAT (/32), in one http request there are multiple connections, thats why we need to use oneconnect.

       

      In fact, we migrate a couple of vserver from Cisco CSM with persistence-rebalance to our F5 without oneconnect profile, and the connections were four times higher.

       

      i was testing with a vserver, and with oneconnect profile and no persistence profile, i always get a 402 answer from my http server, but if i add a persistence profile like source address, works fine, but i cant use source address because there will be a lot of connection using only one server for forever, with cookie persistence its kinda weird the behavior, but there is a KB where indicates that we have to use an irule to solve this (an ugly solution i think).

       

      Checking the configuration in the cisco CSM, i was looking for persistence profiles or something like that, but only use "persistence-rebalance" no source address, or cookie or something.

       

      im going to continue with the lab and see if something is missing.

       

      Thanks! Felipe.

       

    • Leonardo_Souza3's avatar
      Leonardo_Souza3
      Icon for Nimbostratus rankNimbostratus
      Nov 08, 2017

      "in one http request there are multiple connections, thats why we need to use oneconnect."

       

      It is the other way around, multiple HTTP requests in the same connection.

       

      Here is the solution you were talking about in relation to cookie persistence:

       

      https://support.f5.com/csp/article/K7964

       

      As described in the solution, one option is to use oneconnect and another option is to use LB::detach.

       

      The oneconnect provides 2 important functions, first make sure every HTTP request triggers a new load balance decision. Second, reuse the server side connection.

       

      Persistence, on the other hand, is to make sure there is no new load balancing decision when you come back, so you go to the same server.

       

      Based on what you said, I guess oneconnect with cookie persistence looks to be a good option for your case.

       

    • Frojas's avatar
      Frojas
      Icon for Nimbostratus rankNimbostratus
      Nov 10, 2017

      Yes, i think im going to apply oneconnect with cookie persistence, and the irule.

       

      But im going to open a SR because in the CSM the only option in the virtual server is use persistence-rebalance, and works, in my f5 if i use oneconnect only i got an 402 answer.

       

      Best Regards, Felipe.

       

  • Algebraic_Mirror's avatar
    Algebraic_Mirror
    Icon for Cirrostratus rankCirrostratus
    Nov 10, 2017

    If you just want to do "persistence-rebalance", I would recommend you write an iRule and use the LB::detach command.

    Persistence-rebalance simply does the following on Cisco: it makes a new load balancing decision for each HTTP request that the device receives. The default on Cisco and F5 is to make a load balancing decision for the entire TCP connection, not each individual HTTP request that comes over the connection. But in some cases it is necessary to load balance on each HTTP request. Cisco has persistence-rebalance, but in F5, you will need to do that in an iRule, and you would want something like this:

    when HTTP_REQUEST {
    LB::detach
}

    As others have pointed out, you could try to use OneConnect for this, but OneConnect does much more than the persistence-rebalance command. OneConnect will also try to share backend TCP connections (ie - you may have a bunch of clients on the front end, but all their HTTP requests are place in the same backend TCP connection to the server). While that helps performance, it can also cause problems if you aren't architected for it. NTLM auth in particular has problems with this design if you aren't using NTLM connection pooling. Apps on the server may also get confused if they were written to assume that all traffic in a TCP connection is from the same user (this is the assumption NTLM makes, and why it has problems with OneConnect if you don't use the NTLM connection pool feature).

    Therefore, if you simply want to reproduce exactly what Cisco is doing and nothing more, I would recommend you go the iRule route with that LB::detach command.