LTM irule same irule got called by multiple tmm instances

Question

HI guys, recently I'm working on an irule to make LTM VS acting as reverse proxy. basically the user will call the VS on https, and the VS will use the irule to do DNS query against a specific URL and use resolved IP as node to establish the connection. I used RESOLV::lookup and in order to provide a bit redundancy on the DNS servers the irule is query, I used a list to include 3 DNS servers for irule to query. so if the first DNS is not repsonding with valid IP, it will query against the 2nd DNS server. However, what I noticed that is that everytime the VS was called, from the log, I see the irule got run by multiple tmm instances. it seems each tmm will run the irule in order and then establish the connection to the resolved IP. this turned to be a time consuming issue. especially when first DNS server was failing. &nbsp;
For example:&nbsp;
when first DNS failed, tmm will run thru the irule and fail the first DNS query then got IP resolved by querying 2nd DNS server in the list. then tmm1 kicked in, run the same irule and failed first query again, then successfully resolved IP, but still no connection established. tmm2 will run the irule when tmm1 is done. then establish the connection. &nbsp;
anyone has ever notice such behavior?  Is it because RESOLV::lookup is suspending the session by one tmm and then use the other tmm to run the irule? any hints would help.&nbsp;

marcus_hong_yu · Answer

Here is the irule I composed
when CLIENT_ACCEPTED {
   set index 0
   set dnslist [list 10.1.1.1 10.1.1.12 10.2.2.4]
   set max 3
      while {$index &lt;= $max} {
   set dns [lindex $dnslist $index]&nbsp;
perform DNS resolution
set dest [lindex [RESOLV::lookup @$dns -a ";] 0]
    Check if the first list element was empty
   if {$dest eq ""}{
      No valid IP resolved against DNS
   set index [expr {$index + 1}]
   } else {
       Set Node IP based on DNS resolution
      node $dest 443
   set index [expr {$max + 1}]
   }
}
}&nbsp;

stanislas_piro2 · Answer

Hi,
Your irule is not optimized... look at this one:
when CLIENT_ACCEPTED {
    set dnslist {10.1.1.1 10.1.1.12 10.2.2.4}
        foreach dns $dnslist {   
         Check if the first list element was empty
        if {[set dest [lindex [RESOLV::lookup @$dns -a "www.abc.com";] 0]] ne ""} {
             Set Node IP based on DNS resolution
            node $dest 443
            break
        }
    }
}

another enhancement can be to use dns resolution in pool instead of this irule. it will create each member discovered with DNS.
to answer about TMM, each connection is handled by a different TMM. if you are working on a 6 TMM appliance, you may see in logs tmm0, tmm1, ... tmm6
but only one TMM request for each tcp connection.

cjunior · Answer

Hi, &nbsp;
Did you try to use FQDN nodes instead of iRule? (BIG-IP v11.6+)
And, as you mentioned tmm instances, did you try to disable CMP and run demoted?
I think isn't it a good thing, so, maybe is better to you, to do some logic and control TTL, such as table lookup mechanism or anything else.  &nbsp;
Regards.&nbsp;

marcus_hong_yu · Answer

I think I found some cause, RESOLV::lookup by default will use 4 tmm instances to do inital query and 3 retries. and each one is 5 seconds. I can modify the sys db to reduce the retry times and timeout value, however, is there any better way to make it resolve to the valid IP quicker?

marcus_hong_yu · Answer

Hi Stanislas, I will give a try to use foreach instead of while. but the thing is that RESOLVE::LOOKUP will use multiple TMM to call the irule, which means even by using foreach, when the DNS server was failing, the irule will still be called multiple times. is that the case?

Forum Discussion

LTM irule same irule got called by multiple tmm instances

6 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

AppWorld 2024 Call For Speakers open

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Getting Started with BIG-IP Next: Upgrading Instances

Choosing an Instance for F5 BIG-IP in AWS

Getting Started with BIG-IP Next: Configuring Instance High Availability