iRule resulting in too many redirects
I have two requirements with my virtual server. 1. A redirect to /pc/service/SSOLogin 2. 24 hour persistence based on the JSESSIONID cookie in the request header. The first one was accomplished early on with a policy that redirects to location '/pc/service/SSOLogin' at request time. This has worked without any issues until I tried to implement the JSESSIONID persistence. To accomplish the second, I created an iRule to be used with the Universal persistence profile. When I implemented this persistence profile, the redirect policy no longer worked. My assumption was that the iRule and the policy were conflicting with each other. To resolve this, I created a single iRule to handle both of these requirements. Now, I am getting too many redirects. The iRule is below. when HTTP_RESPONSE { ## PERSISTENCE # If the JSESSIONID exists, we'll pass the cookie along if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] 86400 } } when HTTP_REQUEST { ## PERSISTENCE # If the JSESSIONID exists, we'll maintain that persistence if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } ## REDIRECT # This grabs the base url from the incoming request # For Example, https://my.site.com/some/path the base_url is set to https://my.site.com set base_url "https://[HTTP::host]" # Defining the new path set new_path "/pc/service/SSOLogin" # Construct the new URL # For example, https://my.site.com/pc/service/SSOLogin set new_url "$base_url$new_path" # Redirect to the new URL HTTP::redirect $new_url }103Views0likes6CommentsPool round Robin not working with standard virtual server
I have a standard HTTPS virtual server configured with two nodes in the pool. There is no persistence setting enabled and the load balancing method is round robin. For some reason, after I browse to the site and establish a connection with a backend server in the pool, all my future requests go to the same server and it behaves in a way that indicates some persistence is enabled. For example, when I refresh my browser, open the site in a new browser, and open the site in an incognito browser, all my requests keep going to the same node. You can see below that I tried this multiple times and kept getting connected to one server and the number of connections on that server was increasing. According to my research, because there is no persistence profile setting, the load balancing method is round robin, and both servers are available and able to accept traffic, every time I refresh or open the site in a new tab or browser, I should be randomly assigned to a server for that connection via round robin load balancing. But this is not what I observe. Is there a reason that my virtual servers are showing persistence by default? Any ideas? Here are some images of my config:Solved208Views0likes6CommentsRatio (Session) and Least Sessions
Hello, I wanted to fully understand the Ratio(Session) load balancing method. I was reading the description of load balancing methods here and about the Least Session here. I came across this question in the forums, but the links are old and it doesn't provide a clear answer, I want to know what exactly is considered a session in the Ratio(session), it's mentioned for the Least sessions that it depends on a Persistence profile (least number of entries in the persistence table) to determine the sessions for each pool member, for example HTTP cookie determines the session in this case, is it the same case for Ratio(Session)? What is meant by a session exactly in the Ratio(Session) and is there a real-world example for this case? In this article, it's mentioning that Ratio(Session) is used for protocols that transmit multiple messages over the same connection, is this the same case for HTTP for example using Cookie persistence like Least Sessions? It's not very clear to me how the system will count sessions if it's not based on persistence like the Least Sessions. When I applied this load balancing method to a pool with multiple members, I noticed the requests where going to one member only. Thanks829Views0likes4CommentsMultiple method persistence
Hello. I need to setup load-balancing for a visio application, which is quite complex, as I don't need just to ensure session persistence for a single user, but for multiple users participating to the same conference. According to my understanding of reference documentation, I need to use an universal persistence profile (or eventually hash persistence profile, as it only differs by hashing lookup value), and write an iRule, such as: when HTTP_REQUEST { # extract roomID from room parameter in query string set roomID [getfield [URI::query [HTTP::uri] room] "@" 1 ] if { $roomID != "" } { persist uie $roomID 3600 log local0. "Using Jitsi room ID $roomID for persistence: [persist lookup uie $roomID]" } } Once a corresponding persistence profile assigned to the virtual server, it works as expected. However, I also have to ensure persistence for authentication requests, this time with more classical requirements, ie every authentication requests for a given user must reach the same pool node. I first considered the use of a fallback persistence profile (either cookie, ssl, or source address), so as to keep the irule simple. However, documentation discourage using fallback persistence for this purpose: If Fallback persistence becomes the chosen persistence method, a Default persistence entry will not be created for the client connection until the Fallback persistence idle timeout period expires. Because of this, Fallback persistence may appear to override Default persistence and may not be a good choice. See Recommendations, following, for additional information. So I added another clause in my iRule, still using uie method, but with client address as lookup key, hence reinventing simple persistence: if { [HTTP::path] starts_with "/Shibboleth.sso" } { persist uie [IP::client_addr] 3600 log local0. "Using client IP adress for persistence: [persist lookup uie [IP::client_addr]]" } According to the documentation, I may be able to mix persistence methods in a single iRule (one of the example given here mixes source_addr and cookie methods), but some of those methods (ssl, msrdp, cookie) also requires a corresponding persistence profile assigned to the virtual server. Whereas I already use an universal persistence profile. So basically, I'm a bit lost among multiple options, especially the relation between persistence profiles and persistence methods, and I have a few questions: Is there any recommended practice for using multiples persistence methods in a single iRule ? if only ssl and cookie methods require a corresponding profile, what is the interest of using an universal persistence profile, instead of just assigning the persistence irule to the virtual server ? If I'm assigning a cookie persistence profile and a persistence irule using uie method to the same virtual server, how will persistence work ? I hope I have been clear enough 🙂 Thanks for your interest.841Views0likes3Commentssource IP and source Port persistence using irule - Citrix - (carp vs uie)
Hi, We ran into an issue of uneven load-balancing due to using citrix. Clients end up using the same IP so we decided we need to start load-balancing using the source port as well. I have done my homework and search around until I came across multiple solutions of either to use uie or carp. I have multiple questions hopefully I will get answers for. I understand carp doesn't have a timeout so that leads to a question is it better to use in this situation? Also we are leaning towards load-balancing using the least connections. Would each algorithm limits to a specific load-balancing method? Per my irule below I don't add persist assuming it is done automatically. am I wrong with that assumption? Should I be adding each successful persistence records? what would be the best way to test such an implementation? Here is the irule I'm about to implement. when CLIENT_ACCEPTED { set client_ip_port "[IP::client_addr]:[TCP::client_port]" if {[TCP::client_port] and [IP::client_addr] !=0} { persist carp $client_ip_port } }451Views0likes1CommentRedirect to pool member based on URI with persistence
We are implementing Kronos 8 with SSL offloading on our LTM. The SSL offload options in Kronos forces all traffic through the LTM so our Kronos admin can no longer hit the application directly on the individual servers. To accomplish this I need to direct traffic directly to the pool member based on URI. I also need to append /wfc/logon to all URIs. I have built an iRule based on examples I have found here, but it doesn't work correctly. It lands on the initial logon page correctly, but after the logon doesn't persist to the pool member. Process I am trying to accomplish: http://kronos.xxx.edu/ap1 -> https://kronos.xxx.edu/wfc/logon on pool member 1 http://kronos.xxx.edu/ap2 -> https://kronos.xxx.edu/wfc/logon on pool member 2 http://kronos.xxx.edu/ -> https://kronos.xxx.edu/wfc/logon default LB for clients Allow server selection via uri when HTTP_REQUEST { if {[HTTP::uri] contains "ap1" } { HTTP::uri "/wfc/logon" pool Kronos member 192.168.1.121 80 } elseif {[HTTP::uri] contains "ap2"} { HTTP::uri "/wfc/logon" pool Kronos member 192.168.1.122 80 } elseif {[HTTP::uri] eq "/"} { HTTP::uri "/wfc/logon" pool Kronos } } Any suggestions are greatly appreciated.758Views0likes2CommentsLoadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?788Views0likes12CommentsF5 DNS Wide-IP Persistence
Hi, Does anyone know the limit, either in cache size or numerical limit, of Wide-IP Persistence once it is turned on? I can't seem to find this specific number anywhere. I have found that you can run show gtm persist to print your persistence list, but, that doesn't display a hard limit either. TIA!218Views0likes0CommentsShare source address persistence accross different VS, pools using unique IP addresses
I am looking for a way to share the source address persistence across virtual servers with different IP addresses and different pools assigned using different IP addresses. Likewise the build in functionality match across services / pools or virtual servers will not work in this case. The customer uses NetIQ IAM solution that has this specific requirement, let me explain: VS1 1.1.1.1:443 --> pool 1 -- Pool member 10.0.0.1 (physical server A) Pool member 10.0.0.2 (physical server B) VS2 2.2.2.2:443 --> pool 2 -- Pool member 10.0.0.3 (physical server A) Pool member 10.0.0.4 (physical server B) The web application always communicates first to VS1 and goes to pool 1 and for example chooses 10.0.0.1. Source address persistence is applied and stored in the persistence table. After that the client immediately communicates to VS2 and should also arrive on the same physical server A. So my idea was to create global variables using Irules and saving the persistence information in there, create additional variable to save the client IP address. Irule1 used for VS1 set ::Poolmember [persist lookup source_addr [IP::client_addr] node set ::ClientIP [IP::client_addr] Irule2 used for VS2 In the second VS we compare the value of global variable $::ClientIP with [IP::client_addr] and search for the pool member in the persistence table (we have to know the persistence information of the VS1 connection). If the source IP is the same then we should change the load balancing decision so it will be send to the same physical server A, in this case 10.0.0.3. If {($ClientIP == [IP::client_addr] && $Poolmember == 10.0.0.1)} [LB::reselect] node 10.0.0.3 443 There are some shortcomings to this setup I believe as the global variable could be overwritten with a different source IP if there are several concurrent sessions. Ps: Active passive is not an option as they need capacity. Does anyone has a better idea that fits this specific requirement? Thanks, Marvin273Views0likes2CommentsPersistence options for UDP Application
Hey Fellas, I scoured the forums to find some info on achieving persistence for udp applications. The VS I am using is standard, but the protocol profile is UDP with least conn - member as the load balancing algorithm. I applied the default universal persistence profile and this irule but could not see any persistence records using show ltm persistence persist-records virtual when CLIENT_ACCEPTED { set src_IP [IP::client_addr] if { [session lookup uie $src_IP] equals "" } { session add uie $src_IP [UDP::remote_port] 1800 log local0. "added client port [session lookup uie $src_IP] for client ip $src_IP " } else { log local0. "existing client port [session lookup uie $src_IP] for client ip $src_IP" } } Do I have to apply this irule to the VS or to the universal persistence profile itself? The profile also has an option to include an irule!574Views0likes2Comments