We are load balancing 5 terminal servers and using the F5 persistence table to keep track of sessions. We have run into an issue where users that log in from a Linux based rdp client are getting a persistence table entry of username@domain.local. When those same users log in from a Windows rdp client they are getting an entry of just their username. This results in them not always getting sent to the correct server so that they can resume their disconnected session. How could I write an iRule that either strips the domain.local from sessions that have it or adds it to session that do not have it. I would rather strip it from the ones that do. Is this possible and could someone help me out with it? Thanks.

You can check for the @domain.local and strip it out before persisting on it if { $username contains "domain.local"} { persist uie [getfield $username "@" 1] } else { persist uie $username }

I got this error when I tried creating the rule: 01070151:3: Rule [sso_username] error: line 1: [command is not valid in the current scope] [if { $username contains "Summithealth.local"} { persist uie [getfield $username "@" 1] } else { persist uie $username }]

I think all I need for this to work is the event statement. I have tried when CLIENT_ACCEPTED and when CLIENT_DATA and neither worked. Which event can I use?

I still do not have this working. Can someone help me out?

iRule for persistence table entries

19 Replies

JRahm

Admin

Jun 26, 2008

Sure thing. One note, though. It appears that the cookie only holds 9 characters, so if the username is longer than that, the uniqueness of the user will need to be determined in the first 9 characters. Also, the else wasn't matched to the correct if clause, so I moved it. This should meet both conditions correctly:

 
 when CLIENT_ACCEPTED { 
   TCP::collect 
 } 
 when CLIENT_DATA { 
   TCP::collect 25 
   binary scan [TCP::payload] x11a* msrdp 
   log local0. "Contents after binary scan: $msrdp" 
   if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } { 
     set msrdp [string range $msrdp 17 end] 
     set len [string first "\n" $msrdp] 
     if { $len == -1 } { 
       TCP::collect 
       return 
     } 
     if { $msrdp contains "@" } { 
       if { $len > 5 } { 
         incr len -1 
         log local0. "Data Persisting on: [getfield $msrdp "@" 1]" 
         persist uie [getfield $msrdp "@" 1] 
       } 
     } else { persist uie $msrdp } 
   } 
   TCP::release 
 }

John_Masgalas_4
Nimbostratus
Jun 26, 2008
This works! Thanks elah! Only two questions though. I see that it saves it as universal mode instead of msrdp. Will this affect anything? Also in the persistence settings I have the timeout set for 3 hours. Will this rule affect that? Thanks again!
John_Masgalas_4
Nimbostratus
Jun 26, 2008
I verified that it does not hold the persistence for 3 hours. In the original persistence setting I had it set for Mirrored Persistence, 10800 second timeout, and No session directory. How can I set these options in the irule?

JRahm

Admin

Jun 26, 2008

Yes, it will be uie persistence instead of msrdp persistence, but that shouldn't matter. To persist for 3 hours, change the rule to this:

 
 when CLIENT_ACCEPTED {  
    TCP::collect  
  }  
 when CLIENT_DATA {  
    TCP::collect 25  
    binary scan [TCP::payload] x11a* msrdp  
    log local0. "Contents after binary scan: $msrdp"  
    if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } {  
      set msrdp [string range $msrdp 17 end]  
      set len [string first "\n" $msrdp]  
      if { $len == -1 } {  
        TCP::collect  
        return  
      }  
      if { $msrdp contains "@" } {  
        if { $len > 5 } {  
          incr len -1  
          log local0. "Data Persisting on: [getfield $msrdp "@" 1]"  
          persist uie [getfield $msrdp "@" 1] 10800 
        }  
      } else { persist uie $msrdp 10800 }  
    }  
    TCP::release  
  }

JRahm
Admin
Jun 26, 2008
Oh, and once you get everything working as you like, I'd disable the logging statements if you don't need them for tracking purposes.
John_Masgalas_4
Nimbostratus
Jun 26, 2008
Thanks elah. Will the above rule also set Mirrored Persistence? I think I will leave logging on for a bit just to watch over what happens. Thanks for all your help though. You guys are all great!
JRahm
Admin
Jun 26, 2008
As long as you have enabled mirroring on the virtual server configuration you should be fine.
John_Masgalas_4
Nimbostratus
Jun 26, 2008
Thanks you the man!
JRahm
Admin
Jun 26, 2008
UnRuleY is the man (his code); I just trimmed it up...glad it's working for you.

Forum Discussion

iRule for persistence table entries

19 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Modifying multiple entries in a datagroup via api?

XFF Universal Persistence iRule

How to Contribute an Article or a Codeshare Entry

Disable cookie persistance in irule

SOCKS5 SSL Persistence