How to remove session persistency from an IRule

Question

Here is scrubbed F5 rules. &nbsp;
We have two pools for destination xxx.xx.xx.yyy:443: &nbsp;
oam_server_80 and oaam_server_80. &nbsp;
By default, all traffic, ie. /oam goes to the pool oam_server_80 and only /oaam_server goes to the pool oaam_server_80.&nbsp;
What we observe using the same browser client with two transactions.
1. start with uri /oam
2. start with uri /oaam _server
It works as designed.&nbsp;
What we observe using the same browser client with two transactions.1. start with uri /oaam_server2. starts with uri /oamFor the 2nd request, /oam always go to pool /oaaM_server.80. &nbsp;
Any suggestion&nbsp;
ltm virtual /Common/sso.fake.xyz_ssl {
    destination /Common/xxx.xx.xx.yyy:443
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/oam_server_80
    profiles {
        /Common/http { }
        /Common/sso.fake.xyz_ssl {
            context clientside
        }
        /Common/tcp { }
    }
    rules {
        /Common/oaam_server
    }
    snatpool /Common/FakeCompany_Web_SNAT
    vlans {
        /Common/LB_FW_VLAN_3227
    }
    vlans-enabled
}&nbsp;
ltm pool /Common/oam_server_80 {
    members {
        /Common/111.22.3346:80 {
            address 111.22.3346
        }
        /Common/111.22.3348:80 {
            address 111.22.3348
        }
    }
    monitor /Common/tcp
}&nbsp;
ltm profile client-ssl /Common/sso.fake.xyz_ssl {
    alert-timeout 60
    allow-non-ssl disabled
    app-service none
    cache-size 262144
    cache-timeout 3600
    cert /Common/199104280-sso.fake.xyz.crt
    chain none
    ciphers DEFAULT
    defaults-from /Common/clientssl
    handshake-timeout 60
    key /Common/199104280-sso.fake.xyz.key
    mod-ssl-methods disabled
    options { dont-insert-empty-fragments }
    proxy-ssl disabled
    renegotiate-max-record-delay 10
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation enabled
    secure-renegotiation require
    server-name none
    sni-default false
    sni-require false
    strict-resume disabled
    unclean-shutdown enabled
}&nbsp;
ltm rule /Common/oaam_server {
     oaam_server&nbsp;
Creation Date:12/03/2015    D.
URL sso.fake.xyz/oaam_server redirects to pool oaam_server_80
when HTTP_REQUEST {  if { [HTTP::uri] starts_with "/oaam_server" } {pool oaam_server_80  }}
}&nbsp;
ltm pool /Common/oaam_server_80 {
    members {
        /Common/111.22.3350:80 {
            address 111.22.3350
        }
        /Common/111.22.3351:80 {
            address 111.22.3351
        }
    }
    monitor /Common/http&nbsp;

robert_yu_16_24 · Answer

ltm rule /Common/oaam_server {
     oaam_server&nbsp;
Creation Date:12/03/2015    D.
URL sso.fake.xyz/oaam_server redirects to pool oaam_server_80
when HTTP_REQUEST {  if { [HTTP::uri] starts_with "/oaam_server" } {
persist none
pool oaam_server_80  }}&nbsp;
We make this change, disable then re-enable the front end VIP. but still not working.&nbsp;

vernonwells · Answer

DevCentral has a mode for specifically adding code and configuration in a cleanly formatted box. It is done by putting ~~~ on a line by itself, followed by the code/config, followed by ~~~ again, also on a line by itself. Formatting code and configuration this way makes it much easier to read those entities. I strongly recommend doing this in the future. For reference, I provide your configuration formatted in this fashion here (I also inserted some whitespace to make things a bit more legible):
&nbsp;
ltm virtual /Common/sso.fake.xyz_ssl { 
    destination /Common/xxx.xx.xx.yyy:443 
    ip-protocol tcp 
    mask 255.255.255.255 
    pool /Common/oam_server_80 
    profiles { 
        /Common/http { } 
        /Common/sso.fake.xyz_ssl { context clientside } 
        /Common/tcp { } 
    } 
    rules { 
        /Common/oaam_server
    } 
    snatpool /Common/FakeCompany_Web_SNAT 
    vlans { /Common/LB_FW_VLAN_3227 } 
    vlans-enabled
}

ltm pool /Common/oam_server_80 { 
    members { 
        /Common/111.22.3346:80 { address 111.22.3346 } 
        /Common/111.22.3348:80 { address 111.22.3348 } 
    } 
    monitor /Common/tcp
}

ltm profile client-ssl /Common/sso.fake.xyz_ssl { 
    alert-timeout 60 
    allow-non-ssl disabled 
    app-service none 
    cache-size 262144 
    cache-timeout 3600 
    cert /Common/199104280-sso.fake.xyz.crt 
    chain none 
    ciphers DEFAULT 
    defaults-from /Common/clientssl 
    handshake-timeout 60 
    key /Common/199104280-sso.fake.xyz.key 
    mod-ssl-methods disabled 
    options { dont-insert-empty-fragments } 
    proxy-ssl disabled 
    renegotiate-max-record-delay 10 
    renegotiate-period indefinite 
    renegotiate-size indefinite 
    renegotiation enabled 
    secure-renegotiation require 
    server-name none 
    sni-default false 
    sni-require false 
    strict-resume disabled 
    unclean-shutdown enabled 
}

ltm pool /Common/oaam_server_80 { 
    members { 
        /Common/111.22.3350:80 { address 111.22.3350 } 
        /Common/111.22.3351:80 { address 111.22.3351 } 
    } 
    monitor /Common/http
}

ltm rule /Common/oaam_server {
    when HTTP_REQUEST { 
        if { [HTTP::uri] starts_with "/oaam_server" } {
            persist none
            pool oaam_server_80
        }
    }
}

&nbsp;
Alright. Having done that, a point of clarification is useful. Persistence, in LTM, relates to the load-balancing selection within a pool, not across pools. In any case, it does not appear that you have added a persistence profile to the Virtual Server object, so the persist none will have no effect (it is used to disable the configured persistence before a load-balancing decision is made, and in this case, no persistence is applied, so there is nothing to "disable").
When you say the user-agent performs "two transactions", do you mean within a single TCP connection (which means HTTP-Keepalive is active) or across TCP connections? If it is the former, that explains what you are seeing. With your current configuration, each flow is being load-balanced, not each message within the flow, even though HTTP_REQEUST fires on each message. Calling pool, however, will force a new load-balancing decision each time it is called.
If this is in fact the issue, there are serveral ways to tackle this. One method is to add the OneConnect profile to the HTTP Virtual Server. This will cause HTTP to essentially switch to message-based load-balancing (with load aggregation on the server-side). If you don't mind message multiplexing on the server-side, then this is the easiest way to solve the problem. The second method is to explicitly invoke the pool for all conditions. As I mentioned above, invoking pool forces an explicit detach and reload-balance. The third method is to disable HTTP Keepalives on the client side. When this is done, each message will be in a separate TCP connection, so each message will be independently load-balanced. Here is code for each of the latter two solutions:
Option 2:
&nbsp;
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/oaam_server" } {
        pool oaam_pool
    }
    else {
        pool oam_pool
    }
}

&nbsp;
Option 3:
&nbsp;
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/oaam_server" } {
        pool oaam_pool
    }
}

when HTTP_RESPONSE {
    HTTP::close
}

&nbsp;
And the CLI required for the first:
&nbsp;
tmsh modify ltm virtual /Common/sso.fake.xyz_ssl profiles add { oneconnect {} }

&nbsp;

vernonwells · Answer

Oh, and I see now that in my code snippets, I didn't get the pool names quite right, but hopefully you follow, nonetheless :).&nbsp;

Forum Discussion

How to remove session persistency from an IRule

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

source address persistence maximum session timeout

Removal of Client Side F5 Persistence Pool Cookie

ASP Session ID Persistence

Weblogic JSessionID Persistence for Session Replication

Decoding the IPv4 address from the persistence cookie