Persistence via Backend Source Port?

Question

Hi. Good day. I would just like to ask for your expert advise.  Thank you.&nbsp;
I have a VS with port 8000 facing the users.  At the backend, I have 3 servers serving the same application but are on different ports (server1:9001, server2:9002, server3:9003).  What I want to do is to configure connection persistence based on the backend server ports.  If for example, user1 connects to the app and were redirected to server1:9001, I would like F5 to remember that and have all that user's succeeding connections routed to server1. It should not matter if the user is browsing, streaming or playing online games.  I am not sure if I have explained myself properly but please do ask away if anything's unclear.&nbsp;
By the way, persistence by source address is not an option as the users could possibly be NATed to a single IP.&nbsp;
Thank you again.&nbsp;

james_thomson · Answer

What type of application is it? Is it HTTP based? Is it unencrypted? Can you use F5 Cookie Insert?&nbsp;
For any type of persistence, there MUST be something to key off of or look at to make the persistence decision so please share what you would like to look at in the request.&nbsp;
Example, for source persistence, we key off of the source IP. &nbsp;
In HTTP persistence, we can key off of a hostname ,or uri or cookie, etc..&nbsp;
What do you propose we look at in the request? &nbsp;

ian_peralta_256 · Answer

Hi James,&nbsp;
Thank you for your interest in providing help.&nbsp;
It's actually a tunnel server.  So I just throw everything from the client to the tunnel server which uses UDP.  So http, video streaming, etc goes through the tunnel unencrypted.  The tunnel server can provide a token per session.  It should be present every time the client sends packets to the tunnel server.  Can that be used?  I've been reading things about iRules but I am really no programmer so I can only understand so much on how it's done.&nbsp;
Thank you again James.&nbsp;

james_thomson · Answer

Yes, realistically, anything in the payload that is unencrypted could be used as a value to key off of for an iRule.  That being said, UDP isn't the easiest to parse. As you're describing it, it's not something F5 has a parser for, so it would be generic UDP to the BIG-IP.&nbsp;
Do you think there's any connection between the udp source port used where you'd want to key off of that? Probably not, but it would be easier than UDP payload&nbsp;
You'd most likely need to use a binary scan technique.
If this isn't in your wheelhouse, you can reach out to F5 professional services and they could most likely write it for you depending on whether you'd be able to pay for it or not.&nbsp;
Here are some examples of binary scan.
https://devcentral.f5.com/questions/radius-uie-persistence-and-cmp-compatibility&nbsp;
https://devcentral.f5.com/questions/universal-persistence-based-on-udp-payload-what-event-to-use&nbsp;
You'd want to look at UDP payload probably
https://devcentral.f5.com/wiki/iRules.UDP__payload.ashx&nbsp;

ian_peralta_256 · Answer

Thank you James.  I'll ask our devs for help on this.  Your help is very much appreciated :)&nbsp;

ian_peralta_256 · Answer

I'll ask our devs for help on this.  Your help is very much appreciated :)&nbsp;

Forum Discussion

Persistence via Backend Source Port?

5 Replies

Recent Discussions

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

URL

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Azure DP-100 Exam Questions

Deploying F5 WAF in front of Azure Web App Services

Related Content

source address persistence maximum session timeout

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

DNS load balancing to backend servers using GTM/LTM.

BIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication

How to persist 'real' IP into Kubernetes