Different persistence each pool under a single virtual server

You can use the 'persist' command in each condition of the rule to use a different persistence method. Here is a related post (Click here)

 

 

And here is the Wiki page for the persist command: (Click here).

 

 

Aaron

Thanks for the response. I looked over the persist command but got confused that can I embed the persist command within HTTP_REQUEST event or I have to create a new event CLIENTSSL_HANDSHAKE? For intstance:

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "A"} {

 

persist simple

 

pool A

 

}

 

elseif {[HTTP::uri] contains "B"} {

 

pool B

 

persist ssl

 

}

 

else {

 

pool C

 

persist ssl

 

}

 

}

 

 

Not so sure if the above persist can be used as such. Thanks.

 

You should be able to set the different persistence methods in the HTTP_REQUEST event. This allows you to make per-HTTP request decisions on which persistence method to use.

 

 

However, trying to use SSL session ID persistence in this context won't work. SSL persistence can only be used when the BIG-IP does not decrypt the traffic:

 

 

 

https://tech.f5.com/home/bigip-next/manuals/bigip9_2/bigip9_2config/BIG_IP9_2ConfigGuide-10-1.html

 

 

SSL persistence

 

 

SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. Even when the client's IP address changes, the LTM system still recognizes the connection as being persistent based on the session ID. Note that the term non-terminated SSL sessions refers to sessions in which the LTM system does not perform the tasks of SSL certificate authentication and encryption/re-encryption. To enable persistence for terminated SSL sessions, see Chapter 7, Managing SSL Traffic and Chapter 13, Writing iRules.

 

 

 

 

And from SOL3062:

 

 

 

https://tech.f5.com/home/solutions/sol3062.html

 

 

You can only use SSL persistence with nodes that are running SSL, where BIG-IP load balances only encrypted traffic. You cannot use SSL Persistence with SSL connections that are terminated by BIG-IP.

 

 

If the BIG-IP terminates the SSL connection, the SSL session ID is removed before the connection is directed to a pool. As a result, the pool sees the connection as a regular HTTP connection, which does not contain an SSL Session ID.

 

 

If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.

 

 

 

 

If you are decrypting the traffic, you could persist on the SSL session ID using the session table or persist uie. Try searching the forum for "SSL::sessionid" for some examples.

 

 

Aaron

Thanks Aaron.

 

 

I wonder if I can have the irule as below

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "A"} {

 

persist simple

 

pool A

 

}

 

elseif {

 

set sslid [session lookup ssl [SSL::sessionid]]

 

persist uie $sslid

 

[HTTP::uri] contains "B"} {

 

pool B

 

}

 

else {

 

pool C

 

}

 

}

 

Here's another one that I just came up with but not sure if it has the right logical order or syntax.

 

 

when CLIENT_ACCEPTED {

 

set sslid [session lookup ssl [SSL::sessionid]]

 

}

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "A"} {

 

persist simple

 

pool A

 

}

 

elseif {[HTTP::uri] contains "B"} {

 

pool B

 

persist uie $sslid

 

}

 

else {

 

pool C

 

}

 

}

 

 

 

Thanks.

That second version looks better. Can you add some log statements to check the results and then test?

 

 

Try including a log statement in the LB_SELECTED event to log the value for LB::server, to see which node is selected.

 

 

Aaron

I got command is not valid @

 

set sslid [session lookup ssl [SSL::sessionid]]

 

 

Do you what's wrong with that line above?

 

 

And here's LB_SELECTED event

 

 

when LB_SELECTED {

 

log local0. "Connection from [IP::client_addr] to [LB::server]"

 

}

 

 

 

Thanks.

Can you change the lookup from ssl to uie?

 

 

set sslid [session lookup ssl [SSL::sessionid]]

I changed from ssl to uie, but the irule editor is still complaining: command is not valid in current event context (CLIENT_ACCEPTED)[SSL::sessionid]

 

 

Now, can I use set sslid [session lookup ssl/uie [SSL::sessionid]] in CLIENT_ACCEPTED event?

 

 

Thanks.

 

 

I think you need to choose a valid event for the [SSL::sessionid] command. http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__sessionid.html

 

 

I also recall that you need to assign a persistence profile to the VIP in order to use certain persist commands in an iRule (like ssl). That would mean you need to do "persist none" for pool C. http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=1276