GTM LDNS Persistence Not Adequate

Question

Hi, 
&nbsp;  
&nbsp; we are using our GTM's to distribute users connections to a SSL RAS solution. We have it set to be Round Robin between the two datacentres where the RAS devices are located. We also have LDNS persistence enabled. When testing name resolution this seems to work fine and for the majority of users it's caused no problems. 
&nbsp;  
&nbsp; However, a few users have a problem and we believe it maybe due to their ISP's using some form of load balanced DNS. The user connects initially to site A, their PC is security checked and then authenticated. Then when they launch the full VPN tunnel the DNS resolves to site B (presumably because the ISP's DNS has load balanced to a diffeerent DNS server) and the VPN connection fails. 
&nbsp;  
&nbsp; Has anyone run into anything similar? Any suggestions for a way round this? 
&nbsp;  
&nbsp; Currently we've reverted to GA with all users hitting one datacentre but we'd really like to load balance across both sites as user numbers increase. 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Andy

jrahm · Answer

I had a situation where I addressed this a few years back.  Here's a cleaned up version of that effort:

when HTTP_REQUEST { 
  if { [HTTP::cookie exists "ssl_persist"] } { 
 if { [catch { pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3] }] } { 
 HTTP::redirect "https://[lindex [HTTP::cookie ssl_persist] 0]/[HTTP::uri]/" 
 } else { 
 pool [lindex [HTTP::cookie ssl_persist] 1] member [lindex [HTTP::cookie ssl_persist] 2] [lindex [HTTP::cookie ssl_persist] 3]  
  } 
 } 
 } 
 when HTTP_RESPONSE { 
     HTTP::cookie insert name ssl_persist value [concat [virtual name] [LB::server]] 
 }

Note that in the redirect line, the first element in the list is the virtual name, not the address, so if it is not the FQDN of your local virtual (not the GTM wideIP), then you'll need to provide some means to extract that.  This can be handled in a data class like this and then extracted with findclass:

class mySiteVips { 
   mySiteAVipName my.siteA.VipFQDN 
   mySiteBVipName my.siteB.VipFQDN 
 } 
  
 HTTP::redirect "https://[findclass [lindex [HTTP::cookie ssl_persist] 0] $::mySiteVips " "]/[HTTP::uri]/"

HTH... 🙂

andrew_deackes_ · Answer

Hi Citizen Elah, 
&nbsp;  
&nbsp; thanks for the advice, we may have to try that. However, for now I've changed this config so both datacentre IP's are in a pool and the pool uses Static-Persist. I've also amended the perist mask to /24 so that hopefully we'll get an even distribution of resolution across the two sites and DNS servers from the same subnet will get the same answer. 
&nbsp;  
&nbsp; If we still have problems I'll be giving your iRule a try! 
&nbsp;  
&nbsp; Cheers 
&nbsp;  
&nbsp; Andy

Forum Discussion

GTM LDNS Persistence Not Adequate

2 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

Decoding the IPv4 address from the persistence cookie

Setting up persistence in F5 XC

GTM return LDNS IP to client

SOCKS5 SSL Persistence

Source_Addr Persistence Problems