iRule to direct specific IPs to specific members, not working as expected.
I have a 6400 LTM HA pair, running 10.2.4HF5.
I have a oneconnect virtual server, ssl proxy, with both cookie and source_addr persistence to a pool with 12 members....as 6 different IPs, and two different ports on each of the 6 IPs.
pool ISIS-Web_SSL {
lb method member observed
snat disable
monitor all https1.0
members {
10.10.10.72:5002 {}
10.10.10.72:5004 {}
10.10.10.85:5002 {}
10.10.10.85:5004 {}
10.10.10.102:5002 {}
10.10.10.102:5004 {}
10.10.10.108:5002 {}
10.10.10.108:5004 {}
10.10.10.110:5002 {}
10.10.10.110:5004 {}
10.10.10.115:5002 {}
10.10.10.115:5004 {}
}
}
We then have a webmethods cluster that is doing calls again this webserver, where during times of heavy traffic (which we anticipate will next occur on Jan 21, 2014 - the first day of classes....) The heavy user traffic also causes heavier webmethods traffic. Since the priority is user experience, the plan is to direct webmethods traffic to one member, with an alternate member if its down, else reject the traffic.
So, I came up with this iRule.
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals "TXHUB_IP"] } {
persist none
ONECONNECT::reuse disable
if { [LB::status pool ISIS-Web_SSL member 10.10.10.108 5004] ne "down" } {
pool ISIS-Web_SSL member 10.10.10.108 5004
return
} elseif { [LB::status pool ISIS-Web_SSL member 10.10.10.110 5004] ne "down" } {
pool ISIS-Web_SSL member 10.10.10.110 5004
return
} else {
reject
return
}
}
pool ISIS-Web_SSL
}
Hopefully, I didn't make a typo...so its all like we're using.
Initially it was tested on our test stack, where we only have two servers, so its not quite a true representation (we started out with identical test and production stacks, but there was some growth of production capacity through reallocation from test.)
Anyways...same rule thrown in live on production today....didn't go so well.
We say the traffic shift to where we wanted it to go, but the webmethods admins said things weren't working right. What was observed (both through netstat on the servers, and looking a 'b conn client server ....' on the F5) was that there were connections going to both port 5002 and 5004. Which is not expected and doesn't work....
Did I get something obvious wrong? Or is there some other issue at play.... from oneconnect?
LKC