Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HTTP/HTTPS Asymmetric-Routing iRule

Hello All,

Appreciate your help on the requirement ,,

Two sites with HTTP, HTTPS, and alt-HTTP proxying-services (StateFul flow) might have asymmetric traffic-flow which will break the established sessions.

I think of building two iRules (Internal & External) which will do the following: Internal iRule: set some flag on the sessions initiated by the proxy-server; i.e tag "Local-Site". External iRule: Check the manipulated-flag, if the tag is matching "Remote-Site", forward the traffic to a specific gateway_pool.

If the above logic and iRule works, I would like to know:

  • which flag can be used to fulfill the requirement, and whether changing this flag would cause any issue from the application layer perspective.
  • any expected performance-degradation by applying this simple iRule on +60Gbps traffic-volume. (LTM v11)

Thanks & BR, Aziz

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Comments on this Answer
Comment made 15-Apr-2014 by Gbps 17
Thanks for your response ,, I don't think it would work, as per my quick reading and understanding, the nPath solution is to bypass servers responses from getting back to the BIG-IP. I have Internet-Proxies behind my LTMs in both sites to serve the customers transparently, and each proxy will use the same customer IP to reach Internet. I was thinking if there is any method we can manipulate on http headers for example (of course not applicable for HTTPS) as most of the services configured on the LTMs are HTTP or alt-HTTP; i.e 80, 8000, 8008, 8080, etc. If we can manipulate http header by someway to stamp the packet with a specific value "Site-ID", and make sure this stamp/mark will not be overridden by any web server in the Internet, I believe this will do the job. Thanks & BR, Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

OK I just saw "asymmetric traffic-flow" without reading much further.

I don't really understand what you are trying to do, however in general an HTTP request header insertion is a good way to signal to downstream VIPs or HTTP devices.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

two ideas come to my mind:

1) is it feasible to use cookies for session persistence, as you just use http?

2) basically you can create and insert a custom http header with an iRule. You could insert the client IP or a random number with "HTTP::header insert " and write it into the header with: [HTTP::header <my-custom-http-header-field1]" But I guess you need to do this for every LTM and create a rule if the header field 1 or 2 exists and if yes forward the client request to the corresponding backend servers.

cheers, wizz

0
Comments on this Answer
Comment made 16-Apr-2014 by Gbps 17
Thank you all for your inputs ,, really valuable ,, So, couple of things I would like to confirm: - Would "HTTP::header insertion" method be applicable for HTTP and alt-HTTP services; i.e 80, 8080, 8000, etc. - Whether this HTTP insertion would be overridden by any web server ? or it will be there for the whole session. - Provide an iRule example; one to insert a random number, and the other to match that random number. - Is there any other idea that would be applicable for HTTPS ? personally I don't think so. Thanks & BR, Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Alright, let's go through your points:

1) you can insert http headers as long as the protocol is http, no matter if you use the standard tcp port 80 or anything else

2) if you use a custom http header field the web server should not modify it at all. maybe if you use something like the X-Forwarded-For header field it could be used and adapted by web servers for different reasons

3) Unfortunately I'm not the greatest programmer, but I can think about this. Maybe someone from the community could do his magic? :-)

4) do you perform SSL offloading on the BigIP? Otherwise it will be tricky. Depending on how much https traffic you are facing, you could balance all https traffic through one path (but I'm not sure if you can apply automatic failover in this case) or you could use session cookies. Of course if the client or browser do not support cookies this will not work either. Maybe for https session cookie with fallback to source IP can be applicable.

cheers, wizz

0
Comments on this Answer
Comment made 16-Apr-2014 by Gbps 17
Thanks Wizz for the information ,, We're not doing SSL offloading, hence, I think it's not possible. If I cover HTTP traffic by this iRule it would be great. Hopefully someone will help us on this. BR, Aziz
0
Comment made 16-Apr-2014 by Gbps 17
mmm ,, this won't work as the connection establishment or TCP-only control packets won't be applicable for this HTTP::header insertion. However, there is another way I'm thinking of, which would solve the issue. Is the iRule capable of tracking the active connection through LTM; i.e if the connection is active, then proceed with normal bahvior; if not (which means it reached the wrong LTM), then take X action. Thanks & BR, Aziz
0
Comment made 16-Apr-2014 by Manuel 210
sorry I don't really get the point with "TCP-only control packets". Do you perform only tcp load balancing? Basically you can refer to tcp statements, as well as to http in iRules - everything is possible :-) I'm just not sure, if this will solve your problem, but anyway you can have a look at this documentation: https://devcentral.f5.com/wiki/iRules.TCP.ashx best regards
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

just wondering what http/https asymmetric routing means.

is it something like one user sending requests to both sites (e.g. request1/response1 goes to site1 but request2/response2 goes to site2)?

0
Comments on this Answer
Comment made 16-Apr-2014 by Gbps 17
Hello, No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site. This is correct under some failure scenario in the network. Note that; this is all transparent to the end user. Both sites have Proxies behind the LTM; so from the networking part I can get the traffic back to the right site by an idea but I'm not sure if I can achieve it through an iRule. I need the LTM to check the Ingress-Traffic if it comes from specific source-ports and this traffic is not showing in the connection-table, then it will forward the traffic to another pool. Thnx, Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

No, it's asymmetric in the Egress-Flow (From the end-user to Internet) and Ingress-Flow (From the Internet to end-user). The Egress traffic (upload) is going to one site, and the Ingress traffic (download) is going to a different site.

i assume it is like syn is going to one site but syn/ack is going to another.

there are loose initiation and loose close in fastl4 profile.

The FastL4 profile determines how the system handles the connection table entries. Enabling the Loose Initiation option allows the system to initialize a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation.

The Loose Close option allows the system to remove a connection when the system receives the first FIN packet from either the client or the server.

sol7595: Overview of IP forwarding virtual servers
http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html

anyway, i am thinking how we can differentiate between the first correct-site request and the wrong-site request? after receiving the wrong-site request, bigip will add it into connection table as well. that means in connection table, it will contain both correct-site and wrong-site connections.

0
Comments on this Answer
Comment made 17-Apr-2014 by Gbps 17
That's exactly what I'm looking for ,, initially i thought it's something straight forward using iRule but it's not. It's getting complicated as the new VS i have created (AR_VS:0.0.0.0:0) with both loose initiation/close enabled seems to cover some established sessions through the LTM; i.e with no asymmetric routing. For the point you raised that wrong connection will be moved to conn-table, i think it could be overcome if they persist with GW_Pool we are forwarding to ( still I'm not sure). But why this new VS covers some established connections and how can we eliminate this. LTM VSs as following: 0.0.0.0:80 ( external) 0.0.0.0:443 (external) 0.0.0.0:8080 (external) 0.0.0.0:0 (internal - forwarding) Note that most of the sessions covered by the new VS are part of the forwarding_VS on internal vlan. Thnx for help, Aziz
0
Comment made 17-Apr-2014 by Gbps 17
Would the fact that forwarding VS doesn't build/maintain any connection in conn-table the reason behind these hits on the iRule? If yes, I would replace it with Performance (L4) VS. Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

But why this new VS covers some established connections and how can we eliminate this.

i understand it creates entry in connection table unless we set immediately idle timeout. in that case, we need 2 virtual servers; one handles request and the other one handles reply.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What if we apply two iRules; one in the forwarding_VS (internal) and other on the new Perf_VS with FastL4 profile (External). I didn't get your point in your last post; but mostly the traffic subject to Asyemmetric routing is the reply traffic (Internet to LTM).

iRule#1 (internal)

when CLIENT_ACCEPTED { set Bypass 1 log local0. “EST_CON IP: [IP::client_addr] TCP: [TCP::client_port]” }

iRule#2 (external)

when CLIENT_ACCEPTED { if {$Bypass == 1} { return } elseif { switch -glob [TCP::local_port] { "80" - "443" - "8080" { pool AR-GW log local0. “AR_CON IP: [IP::client_addr] TCP: [TCP::client_port]” } } } else { drop log local0. “DR_CON IP: [IP::client_addr] TCP: [TCP::client_port]” }

}

Thnx, Aziz

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

is this what you are talking about?

Image Text

if yes, can you try something like this?

wildcard forwarding virtual server with loose initiation, loose close and disabling reset on timeout on internal vlan.

ltm profile fastl4 fastl4_internal {
    app-service none
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

and wildcard virtual server with loose initiation, loose close and immediate idle timeout on external vlan and use another site's proxy as a pool.

ltm profile fastl4 fastl4_external {
    app-service none
    idle-timeout immediate
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

for symmetric request/response, virtual server on internal vlan will handle it. the response won't hit virtual server on external vlan because connection is already in connection table (it is created when request is processed).

for asymmetric request/response, virtual server on internal vlan will handle the request and virtual server on external vlan will handle the response.

0
Comments on this Answer
Comment made 19-Apr-2014 by Gbps 17
Hello nitass It seems the situation is same as the external VS is matching/covering the Internal VS traffic. I have verified it using an iRule on the external VS. Thnx, Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It seems the situation is same as the external VS is matching/covering the Internal VS traffic. I have verified it using an iRule on the external VS.

are you saying symmetric's return traffic (C) matches external virtual server instead of internal virtual server?

have you checked whether symmetric connection is in connection table?

e.g.

# tmsh show sys connection cs-client-addr x.x.x.x
x.x.x.x is symmetric client ip

by the way, are you using f5 wireshark plugin? have you checked virtual server in f5 ethernet trailer?

e.g.

Image Text

F5 Wireshark Plugin

https://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx?Discuss=1

0
Comments on this Answer
Comment made 19-Apr-2014 by Gbps 17
Yes, (C) symmetric traffic and (3) asymmetric traffic seems to be matched by the external VS. I enabled the loose initiation/close on the existing internal_VS (forwarding), and I have noticed increase on # of connections. After that I enabled the external VS (with the same agreed settings) and apply an iRule to log the matching connection which generate a lot of entries. I will try it again with both WS plugin and connection-table verification for symmetric traffic. Thanx, Aziz
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

if you have evidence showing symmetric's return traffic (not internet initiated traffic) does not match existing connection in connection table, i think you can open a support case.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

this is my testing.

# internal virtual server

[root@ve11a:Active:In Sync] config # tmsh list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_loose-init { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 3
}
[root@ve11a:Active:In Sync] config # tmsh list ltm profile fastl4 fastl4_loose-init
ltm profile fastl4 fastl4_loose-init {
    app-service none
    defaults-from fastL4
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

# external virtual server (i do not have proxy server, so i just use ip-forward type)

[root@ve11a:Active:In Sync] config # tmsh list ltm virtual asym
ltm virtual asym {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastl4_immediate-timeout { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 12
}
[root@ve11a:Active:In Sync] config # tmsh list ltm profile fastl4 fastl4_immediate-timeout
ltm profile fastl4 fastl4_immediate-timeout {
    app-service none
    idle-timeout immediate
    loose-close enabled
    loose-initialization enabled
}

# trace (internal initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between internal and bigip) and (2) is serverside (between bigip and external)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown in the trace. it is not shown on clientside's syn packet because it has not been processed by the virtual server.

[root@ve11a:Active:In Sync] config # tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:16:24.386398 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  in slot1/tmm0 lis=
(2) 00:16:24.389269 IP 200.200.200.101.52300 > 172.28.24.1.80: S 3831555759:3831555759(0) win 5840  out slot1/tmm0 lis=/Common/fwd
(3) 00:16:24.391033 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  in slot1/tmm0 lis=/Common/fwd
(4) 00:16:24.391046 IP 172.28.24.1.80 > 200.200.200.101.52300: S 801275336:801275336(0) ack 3831555760 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:16:24.392630 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:16:24.392641 IP 200.200.200.101.52300 > 172.28.24.1.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

# connection table

[root@ve11a:Active:In Sync] config # tmsh show sys connection cs-client-addr 200.200.200.101 all-properties
Sys::Connections
200.200.200.101:52300 - 172.28.24.1:80 - 200.200.200.101:52300 - 172.28.24.1:80
-------------------------------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      tcp
  Idle Time     6
  Idle Timeout  300
  Unit ID       1
  Lasthop       /Common/internal 00:50:56:b3:01:0b
  Virtual Path  172.28.24.1:80
  Conn Id 0

                          ClientSide             ServerSide
  Client Addr  200.200.200.101:52300  200.200.200.101:52300
  Server Addr         172.28.24.1:80         172.28.24.1:80
  Bits In                       1.4K                    960
  Bits Out                       960                   1.4K
  Packets In                       3                      2
  Packets Out                      2                      3

Total records returned: 1

# trace (external initiated traffic)

internal device ip is 200.200.200.101
external device ip is 172.28.24.1

(1) and (2) are syn. (1) is clientside (between external and bigip) and (2) is serverside (between bigip and internal)
(3) and (4) are syn/ack. (3) is serverside and (4) is clientside
(5) and (6) are ack. (5) is clientside and (6) is serverside

internal virtual server name (lis=/Common/fwd) is shown on clientside's syn/ack packet because external virtual server does not create connection in connection table. so, syn/ack packet is handled by internal virtual server.

[root@ve11a:Active:In Sync] config # tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(1) 00:23:18.010820 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  in slot1/tmm0 lis=
(2) 00:23:18.012582 IP 172.28.24.1.45008 > 200.200.200.101.80: S 1397027985:1397027985(0) win 5840  out slot1/tmm0 lis=/Common/asym
(3) 00:23:18.040222 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  in slot1/tmm0 lis=
(4) 00:23:18.040305 IP 200.200.200.101.80 > 172.28.24.1.45008: S 3137679118:3137679118(0) ack 1397027986 win 5792  out slot1/tmm0 lis=/Common/fwd
(5) 00:23:18.041754 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  in slot1/tmm0 lis=/Common/fwd
(6) 00:23:18.041770 IP 172.28.24.1.45008 > 200.200.200.101.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/fwd

# connection table (no connection because idle timeout is immediate)

[root@ve11a:Active:In Sync] config # tmsh show sys connection cs-client-addr 172.28.24.1 all-properties
Sys::Connections
Total records returned: 0

0
Comments on this Answer
Comment made 20-Apr-2014 by Gbps 17
Thanks nitass for your reply ,, appreciated ,, I will try it later and will get back with the results ,, BR, Aziz
0