Forum Discussion

Dan44's avatar
Dan44
Icon for Altostratus rankAltostratus
Jun 25, 2018

sticky sessions and proxy

We have a specific problem and hope someone has an idea what could be the cause.

 

We use persistence profiles (cookie and source ip for sticky sessions) for our web servers. We have placed a reverse proxy for A/B testing between the web servers and F5. Unfortunately the sticky session doesn't work anymore.

 

the setup:

 

Internet -> F5 Virtual Server (contains a irule to redirect sub-domains to the f5 proxy pool and configured persistence profile with cookie01 and snat) -> f5 proxy pool -> proxy -> F5 Virtual Server that contains the web server pool (persistence profile with cookie02 and snat) -> web server

 

On the web server logs, proxy log and in the browser we see the cookies, but if we do some upload test from the same source, we always land on different web server.

 

application delivery
LTM

10 Replies

Sort By
  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Jun 25, 2018

    can you provide persistence profile config of your big-ips?

     

  • Dan44's avatar
    Dan44
    Icon for Altostratus rankAltostratus
    Jun 25, 2018

    hi, below the VIP config and a image from the cookie persistence profile

     

    Code 
ltm virtual bn8745_http { 
destination 96.127.x.20:https 
fallback-persistence source_addr 
ip-protocol tcp 
mask 255.255.255.255 
persist { 
xm_ bn8745_cookie { 
default yes 
} 
} 
policies { 
asm_auto_l7_policy__vip_ bn8745_http { } 
} 
pool pool_ bn8745_http 
profiles { 
ASM_ bn8745https { } 
bn8745_wildcard_sha2_ssl { 
context clientside 
} 
websecurity { } 
xm_ bn8745_tcp-lan-optimized { 
context serverside 
} 
xm_ bn8745_tcp-wan-optimized { 
context clientside 
} 
xm_ bn8745_live_https_profile { } 
xm_oneconnect { } 
} 
rules { 
xm_ bn8745_clientip 
xm_https_header_replace 
} 
security-log-profiles { 
"Illegal and Attacks" 
} 
source 0.0.0.0/0 
source-address-translation { 
type automap 
} 
translate-address enabled 
translate-port enabled 
vs-index 46 
}

     

  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Jun 26, 2018

    Ok, this is one big-ip only. 1) It is not clear if you you facing the issue on public vip only or on both of them. 2) The cookie is valid for session only. It means that, if you close your app on the client side, next time new session will use another pool member.

     

    By telling "if we do some upload test from the same source, we always land on different web server. " do you mean you close the application, open it and upload again?

     

  • Jer_O__175899's avatar
    Jer_O__175899
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2018

    Per surgeon, perhaps you should just use source-address persistence instead of cookie and be done with it.

     

  • Dan44's avatar
    Dan44
    Icon for Altostratus rankAltostratus
    Jun 29, 2018

    the issue is only on the web server pool. on the second VIP, we changed the persistence profile to source ip. wit the new setup: public VIP cookie, web server VIP source ip, the sticky session over the proxy are working now.

     

  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Jun 29, 2018

    Could you answer my question I asked before?

     

    ~~~~~~~~~

     

    By telling "if we do some upload test from the same source, we always land on different web server. " do you mean you close the application, open it and upload again?

     

    ~~~~~~~~~~~

     

  • Dan44's avatar
    Dan44
    Icon for Altostratus rankAltostratus
    Jun 29, 2018

    hi surgeon no, we don't close the application. for testing we used a gallery application with an in-memory queue on each web server. the user uploads 16 picture at the same time, so all of the pictures have to land on the same web server.

     

  • Surgeon's avatar
    Surgeon
    Ret. Employee
    Jun 29, 2018

    Hi Dan, Can you check pool member status. Is there any monitor flap?

     

    I do not see any issue with the config. If Monitor status is stable then maybe you need to open a case with support. Decrypted packet capture analysis is required.

     

  • Dan44's avatar
    Dan44
    Icon for Altostratus rankAltostratus
    Jun 29, 2018

    hi surgeon, thanks for you help. we will open a support case.

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jun 29, 2018

    "(contains a irule to redirect sub-domains to the f5 proxy pool and configured persistence profile with cookie01 and snat)"

     

    Do you use the pool command, as that triggers a new load balance decision?

     

    https://devcentral.f5.com/wiki/irules.pool.ashx

     

    I did not understand which one is the virtual server that you have persistence problem. which one is?

     

    If not the above one, can you provide that virtual server configuration? Can you provide also the iRule and oneconnect profile?