connection pooling proxies & cookie persistence

Question

I did some sniffs of external and internal NICs on my BigIP and filtered by a single IP address which I believe to be a proxy server of some type.&nbsp;
&nbsp;I wrote a Ethereal filter that shows all the bad HTTP requests that are going to the wrong node, based on the cookie that is inserted by the F5 not matching with the node it was sent to.&nbsp;
&nbsp;It appears that this proxy server is doing TCP connection pooling and is just sending random requests down open connections to the same VIP IP address.  And the F5 isn't looking at the cookie's in each request to see if it needs to redirect the HTTP.Request to some other node.  This is bad when there are numerous people/browsers all hitting our VIP from behind this proxy.  Their requests are being randomized by the connection pooling done by their proxy server.  That sort of kills my cookie-insert persistence!&nbsp;
&nbsp;I'm not sure what to do.  What is the official or unofficial stance from F5 or others on this?&nbsp;
&nbsp;Clearly, I could probably write an irule to make this one src IP go to a different pool.  Perhaps a pool that has priorities set, so only one server is used at a time.  But, I'd rather find a different way to handle it.  This must be a common issue w/ all clients trying to use cookie persistence.  I'd rather not have to make a list of naughty-connection-pooling-proxies for an irule.&nbsp;
&nbsp;-Kyoo&nbsp;

colin_walker_12 · Answer

We here at DevCentral are the folks who work on the API (iControl) and the onboard packet inspector/scripting language (iRules).  If you have a question about building iControl apps or writing iRules, this is the place for you.&nbsp;
&nbsp;If this is an iRules related question, please provide us some more information, like the rule in question, and some of the configuration (pool, VIP, etc) surrounding the problem.&nbsp;
&nbsp;If this isn't an iRules problem, then unfortunately, this isn't the place for product technical support.  We simply aren't staffed to handle that side of things.  You'll need to talk to the folks in our product support department for questions like these.&nbsp;
&nbsp;They can be easily contacted here: Click here - https://websupport.f5.com/csp/logon.asp&nbsp;
&nbsp;A good place to start looking for information is often Click here - http://tech.f5.com/askf5/jsp/combined/index.jsp&nbsp;
&nbsp;Thanks,
&nbsp;-Colin

james_clover_40 · Answer

I have the same problem.  I'm using the BigIP to balance between my Portal servers and some back-end servers.  When the BigIP sees an HTTP connection for the second time, it ignores the whole cookie insertion persistence logic.&nbsp;
&nbsp;I'm looking at writing an iRule for this and saw your post.  Didja figure it out? &nbsp;
&nbsp;Thanks,
&nbsp;James

josh_hildebran1 · Answer

Hi James..  I solved, it but not with an iRule.  Here was the Tech Support response that helped me solve this issue.&nbsp;
&nbsp;Hi Josh, &nbsp;
&nbsp;You are correct in that BIGIP is not looking for cookies in connections once the session is established. This is by design, the idea being that once a session is established, there is no longer a need to make a loadbalancing decision (ie, look for a cookie). &nbsp;
&nbsp;However, with the OneConnect profile, we should be able to get BIGIP to inspect every header. I would like you to try the following: &nbsp;
&nbsp;--create a custom OneConnect profile based on the stock OneConnect profile 
&nbsp;--adjust the source mask to 255.255.255.255 
&nbsp;--apply this new OneConnect profile to your virtual and retest. &nbsp;
&nbsp;This should force BIGIP to inspect for cookies. &nbsp;
&nbsp;Here is some information on OneConnect for you: &nbsp;
&nbsp;http://tech.f5.com/home/bigip-next/manuals/bigip9_2_2/bigip9_2_2config/BIG-IP_9_2_2ltm_guide-06-1.htmlwp1187154 
&nbsp;Let me know how it goes. &nbsp;
&nbsp;Thanks! &nbsp;
&nbsp;Lynn Curtis 
&nbsp;F5 Networks Support | www.f5.com 
&nbsp;International: +800-11275435 | USA: 1-888-882-7535 &nbsp;

james_clover_40 · Answer

Josh,&nbsp;
&nbsp;Thanks for the help - I had actually arrived at this fix independently, but verification is great!&nbsp;
&nbsp;Thanks again,
&nbsp;James

Forum Discussion

connection pooling proxies & cookie persistence

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

SNAT pool persistence

Persisting SSL Connections

Persist connection based on NTLM username

pool members can't connect to another Virtual Server

Removal of Client Side F5 Persistence Pool Cookie