Hello Team, I have just found i can create persistence entry using two variables example: persist uie "$var1:$var2" But not sure how can later use it. Is it possible to hit it if matching $var1 OR $var2 ? Or maybe i have to match both $var1 AND $var2 ? How it works ? Do i have any control over that ? I need to have "OR" logic because subsequent flows/protocols might not contain both - but just one matching attribute/variable. Thanks, Michal

Hi Michal, considering that you need an UIE persistence, I think that you need to create two persistence records separately and after that, test if exists persistence for those keys with "persist lookup uie". But you need to ensure that during the first, you have both $var keys, otherwise you may persist in two places. Am I wrong? What do you think about it? [ ]

Hi Cjunior, Thank you for the answer. Indeed i have the same conclusions - i need two persistence records. But how to create two persistence records ? I have my data only in client request (not server response). When i have tried to create two persistence records in CLIENT_ACCEPTED or SERVER_DATA using "persist uie" or "persist add uie" always only the last one was created. What are the limitation for creation of 2 persistence records ? I would like to achieve: - on client request: check if there is persistence for $var1 - if yes follow - on client request: check if there is persistence for $var2 - if yes follow - on client request: create/update persistence record for $var1 - on client request: create/update persistence record for $var2 Possible ? Thanks, Michal

Hi Michal, if you want to persist on a combination of parameters it will be required to match exactly. when HTTP_REQUEST { log local0. "[IP::client_addr]:[URI::query [HTTP::uri] param1]" persist uie "[IP::client_addr]:[URI::query [HTTP::uri] param1]" } I.e. you try to persist on combined client IP and a query parameter. Now watch your persistence table (specify mode and the virtual server to limit output; the all-properties parameter just dispays some more details i.e. record age): watch -d 'tmsh show ltm persist persist-records mode universal virtual vs_51 all-properties' Sys::Persistent Connections universal - 10.131.131.51:80 - 10.131.131.64:80 ------------------------------------------------- TMM 1 Mode universal Value 10.131.131.176:abc Age (sec.) 36 Virtual Name /Common/vs_51 Virtual Addr 10.131.131.51:80 Node Addr 10.131.131.64:80 Pool Name /Common/pool_distribution_service Client Addr 10.131.131.176 Owner entry universal - 10.131.131.51:80 - 10.131.131.63:80 ------------------------------------------------- TMM 1 Mode universal Value 10.131.131.176:hij Age (sec.) 24 Virtual Name /Common/vs_51 Virtual Addr 10.131.131.51:80 Node Addr 10.131.131.63:80 Pool Name /Common/pool_distribution_service Client Addr 10.131.131.176 Owner entry Total records returned: 2 Whenever the value ist matched, the associated poolmember will be reselected. Use i.e. cURL to play with query parameters: curl -v http://10.131.131.51/path?param1=hij Thanks, Stephan

Hi Stephan, Thank you for that example. But i do not want AND ("combination of parameters") but OR logic. Real example: - Incoming Radius Access-Request with Calling-Station-ID create persistence for Calling-Station-Id - Incoming Radius Accounting-Request with Calling-Station-ID should be redirected to the same node (as per persistence) but at the same time i would like to create a new persistence record based on Framed-IP-Address attribute - Incoming HTTP traffic: take source ip and match with persistence entry for Framed-IP-Address Radius (Authentication + Accounting) is one virtual server, HTTP is the other. How would you prepare iRules for both ? Thanks, Michal

Sorry, I still don´t get it. I guess the virtual server for HTTP is mapped to a pool of webservers. These servers are not identical with your AAA servers,right? Where is the information in RADIUS about the pool member to select for your web application?

iRule: persist uie "$var1:$var2"

19 Replies

teknet7_237497
Nimbostratus
Dec 20, 2015
Hi Stephan,

Yes have confirmed all of that. I am using just one pool member right now. Radius client is my own code (http://sourceforge.net/projects/radiustest/) - i am sending just a single Access-Request with 11:11:11:11:11:11 as calling-station-id and 1.2.3.4 as framed-ip-address and getting the result:

: session table entry added: : session table lookup result for calling station ID of 11:11:11:11:11:11: 172.16.34.100 : lookup match: 172.16.34.100 : session table entry added:
That is with the following irule:

when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 31]" [LB::server addr] } when CLIENT_DATA { log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[RADIUS::avp 31]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] } }
Logs looks nice but how can i check the results ? Persistence and sys connection tables are empty. And i do suspect it's not working correctly because if i add a second member to the pool (172.16.34.101), and send two identical radius packets the second one is going to the second pool member:

: session table entry added: : session table lookup result for calling station ID of 11:11:11:11:11:11: 172.16.34.101
So it looks like there is no session and we always start a new session and adding new session table entry (using session add from LB_SELECTED) instead of reusing the same node for which we do have that session already.

Also why we do use "node" in CLIENT_DATA if that is displayed by the logs after LB_SELECTED ? Should not we stick/persistent the session before we do create persistence entry/session entry (to be sure we do hit the one which was created previously) ?

Thanks, Michal
- StephanManthey
  MVP
  Dec 20, 2015
  Hi Michal, please change the rule for accounting as follows by replacing the line of: session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] with the following: session add uie "persist:[RADIUS::avp 8]" [session lookup uie "persist:[RADIUS::avp 31]"] Now a new table entry will be created using the "persist:(framed-ip)" as key with a value of the pool member IP. This table entry will be used by a third iRule associated with your virtual server for web: when HTTP_REQUEST { log local0. "session table lookup result for web client of [IP::client_addr]: [session lookup uie "persist:[IP::client_addr]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { node [session lookup uie "persist:[IP::client_addr]"] } } Assuming the client with the IP address matching the framed IP found in RADIUS will send a http request. Now the session table will be looked up for a key matching "persist:(web-client-ip)". The entry will be found and the value retrieved to pick the right pool member. Thanks, Stephan PS: Edited to fix formatting ...
- Joad
  Nimbostratus
  May 04, 2017
  Hello,
  
  is it also possible to create a persistence iRule based on both Calling-station-ID and Audit-Session-ID ?
  
  Thanks in advance
  
  Regards
- RaghavendraSY
  Altostratus
  Mar 01, 2019
  Try below iRules:
  
  With client IP and HTTP host:
  
  when HTTP_REQUEST { persist uie "[IP::client_addr]:[HTTP::host]" }
  
  (If you want to specific URI)
  
  when HTTP_REQUEST { persist uie "[IP::client_addr]:[URI::query [HTTP::uri] param1]" }

Forum Discussion

iRule: persist uie "$var1:$var2"

19 Replies

Recent Discussions

F5 ASM logging profile to specify source IP

Portal Access to HTTPS resources slow

Cannot login to Avaya wanx using f5 apm network access

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

XFF Universal Persistence iRule

Decoding the IPv4 address from the persistence cookie

Disable cookie persistance in irule

SOCKS5 SSL Persistence

Weblogic JSessionID Persistence