Asked by Stuart Kelly. Users are coming in externally through the Netscaler SSL.
The f5 then sends the traffic to the web interface. We are having some issues where we get the browser message saying:. There is a problem with your session. For security reasons, you must close your browser window and log. I am pretty sure that this message is caused by the persistence settings on the f5. I have seen on some forums that HTTP Cookie insert doesn't always work with Citrix and f5 but can anyone advise which persistence settings I should use instead?
We are trying to setup netscaler loadbalancer with multiple virtual servers. Is there a way to do persistence across multiple virtual servers based on source IP? Create a persistency group. We tried using this persistency group but it doesn't work for us. We have two server behind the loadbalancer. We have to provide Load balancing for multiple TCP ports. We created virtual servers on the for each of these Ports. Now we need to make sure that if a client tries to access a service on port x and then port y.
Both the requests to go the same server. For example the server supports port and We want to make sure if a client with IP Address You will be able to leave a comment after signing in. Upvote if you also have this question or find it interesting.
Learn more. Follow, to receive updates on this topic.
Netscaler and f5 persistance Asked by Stuart Kelly. Stuart Kelly 2. Stuart Kelly Enthusiast 2 Members 6 posts. Posted November 11, We have an interesting issue relating to Netscaler, f5 and web interface.HTTP HyperText Transfer Protocol was designed to support a stateless, request-response model of transferring data from a server to a client.
Its first version, 1. Version 1. This was done to address the growing complexity of web pages, including the many objects and elements that need to be transferred from the server to the client.
With the adoption of 2. Its most radical changes involve the exchange of headers and a move from text-based transfer to binary. Somewhere along the line, HTTP became more than just a simple mechanism for transferring text and images from a server to a client; it became a platform for applications. The ubiquity of the browser, cross-platform nature, and ease with which applications could be deployed without the heavy cost of supporting multiple operating systems and environments was certainly appealing.
Unfortunately, HTTP was not designed to be an application transport protocol. It was designed to transfer documents. A good example of this is JSON, a key-value pair data format transferred as text. Though documents and application protocols are generally text-based, the resemblance ends there. Traditional applications require some way to maintain their state, while documents do not. Applications are built on logical flows and processes, both of which require that the application know where the user is at the time, and that requires state.
Despite the inherently stateless nature of HTTP, it has become the de facto application transport protocol of the web. In what is certainly one of the most widely accepted, useful hacks in technical history, HTTP was given the means by which state could be tracked throughout the use of an application. That "hack" is where sessions and cookies come into play. Sessions are the way in which web and application servers maintain state.
These simple chunks of memory are associated with every TCP connection made to a web or application server, and serve as in-memory storage for information in HTTP-based applications. When a user connects to a server for the first time, a session is created and associated with that connection. Developers then use that session as a place to store bits of application-relevant data. This data can range from important information such as a customer ID to less consequential data such as how you like to see the front page of the site displayed.
The best example of session usefulness is shopping carts, because nearly all of us have shopped online at one time or another. Items in a shopping cart remain over the course of a "session" because every item in your shopping cart is represented in some way in the session on the server. Another good example is wizard-style product configuration or customization applications.
These "mini" applications enable you to browse a set of options and select them; at the end, you are usually shocked by the estimated cost of all the bells and whistles you added.
As you click through each "screen of options," the other options you chose are stored in the session so they can be easily retrieved, added, or deleted. Modern applications are designed to be stateless, but their architectures may not comply with that principle. Modern methods of scale often rely on architectural patterns like sharding, which requires routing requests based on some indexable data, like username or account number.
This requires a kind of stateful approach, in that the indexable data is carried along with each request to ensure proper routing and application behavior.This particular implementation uses the default HTTP profile. Source address affinity persistence directs session requests to the same server based solely on the source IP address of a packet. To implement source address affinity persistence, the BIG-IP system offers a default persistence profile that you can implement.
Just as for HTTP, you can use the default profile, or you can create a custom simple persistence profile.F5 LTM Persistence
This implementation describes how to set up a basic HTTP load balancing scenario and source address affinity persistence, using the default HTTP and source address affinity persistence profiles.
Because this implementation configures HTTP load balancing and session persistence using the default HTTP and persistence profiles, you do not need to specifically configure these profiles. Instead, you simply configure some settings on the virtual server when you create it.
My Support. Task summary This implementation describes how to set up a basic HTTP load balancing scenario and source address affinity persistence, using the default HTTP and source address affinity persistence profiles. Task list. As part of this task, you must assign the relevant pool to the virtual server.
Note: The IP address you type must be available and not in the loopback network. This implements simple persistence, using the default source address affinity profile.
You now have a virtual server to use as a destination address for application traffic. Have a Question? Follow Us. F5 Sites F5. All rights reserved. Policies Privacy Trademarks.NetScaler NetScaler Release Notes. Getting Started with Citrix NetScaler.
Install the hardware. Access a Citrix ADC. Configure the ADC for the first time. Secure your NetScaler deployment. Configure high availability. Change an RPC node password. Understanding Common Network Topologies. System management settings. System settings. Packet forwarding modes. Network interfaces.
Clock synchronization. DNS configuration. SNMP configuration.
Verify Configuration. Load balance traffic on a NetScaler appliance. Load balancing.
Configuring HTTP Load Balancing with Source Address Affinity Persistence
Persistence settings. Configure features to protect the load balancing configuration. A typical load balancing scenario.
Accelerate load balanced traffic by using compression. Secure load balanced traffic by using SSL. Features at a Glance. Application Switching and Traffic Management Features. Application Acceleration Features. Application Security and Firewall Features. Application Visibility Feature. Call Home. Connection Management.Unofficial - A Certification Exam Resources:.
Unofficial - B Certification Exam Resources:. Version notice:. Before we get into the study points of this section, there is some basic information you should know about virtual servers and the BIG-IP platform. Virtual Server Intro.
This means that the device will not accept traffic and process it unless you have configured it to do so. Clients on an external network can send application traffic to a virtual server, which then directs the traffic according to your configuration instructions. The main purpose of a virtual server is often to balance traffic load across a pool of servers on an internal network. Virtual servers increase the availability of resources for processing client requests.
Not only do virtual servers distribute traffic across multiple servers, they also treat varying types of traffic differently, depending on your traffic-management needs. A virtual server can also enable session persistence for a specific traffic type. Finally, a virtual server can apply an iRule, which is a user-written script designed to inspect and direct individual connections in specific ways.
For example, you can create an iRule that searches the content of a TCP connection for a specific string and, if found, directs the virtual server to send the connection to a specific pool or pool member. A Standard virtual server also known as a load balancing virtual server directs client traffic to a load balancing pool and is the most basic type of virtual server.
When you first create the virtual server, you assign an existing default pool to it. From then on, the virtual server automatically directs traffic to that default pool. To do this, you must perform some additional configuration tasks. A Forwarding IP virtual server is just like other virtual servers, except that a forwarding virtual server has no pool members to load balance.
The virtual server simply forwards the packet directly to the destination IP address specified in the client request. When you use a forwarding virtual server to direct a request to its originally specified destination IP address, Local Traffic Manager adds, tracks, and reaps these connections just as with other virtual servers.
You can also view statistics for a forwarding virtual server. Together, the virtual server and profile increase the speed at which the virtual server processes HTTP requests. A Performance Layer 4 virtual server is a virtual server with which you associate a Fast L4 profile.
Together, the virtual server and profile increase the speed at which the virtual server processes Layer 4 requests. When you create a virtual server, you specify the pool or pools that you want to serve as the destination for any traffic coming from that virtual server.
You also configure its general properties, some configuration options, and other resources you want to assign to it, such as iRules or session persistence types.
In version 4. The order of virtual server precedence was from the highest precedence to the lowest precedence as follows:. In Version 9. Changes in the order of precedence applied to new inbound connections are in Version Complete details can be found at the following location:. SOL Order of precedence for virtual server matching The BIG-IP system uses the destination address, source address, and service port configuration to determine the order of precedence applied to new inbound connections.
When a connection matches multiple virtual servers, the BIG-IP system uses an algorithm that places virtual server precedence in the following order:.We had a nice exchange of ideas for several days before he carried this over the finish line with a working solution for his environment. The problem? How do you persist the client address AND the snat address? Source persistence is an easy profile add-on. But the snat address? Not so simple. This represents Anywhere University, with tens of thousands of students, thousands of faculty and staff, and more university compute and bring your own device s than is practical to count.
Because of the high client load flowing through the LC, snat automap is not an option due to the high risk of port exhaustion.
Cookies, Sessions, and Persistence
A snat pool works well here, and snatpools are smart enough to assign an address from the correct subnet even when addresses from multiple subnets are lumped together in a single snatpool, as is the case here.
The tricky part for this solution is persisting the snat address for the client source address that is persisted. The order of operation is thus:. But in the case of establishing a snat and persisting it, the next hop has to be established. So we really only care about addressing. Source persistence is enabled. The real magic is in setting the snat addresses themselves. Client IP address bound to the snat address! You could optimize performance by manually keeping track of the array size to eliminate those operations, but the tradeoff is management.
There is a version of this same approach for snat persistence in the codeshare you can look at as well. So if you are in a pinch with what you have, iRules again to the rescue! Skip to Navigation Skip to Main Content. Login Sign up. Topics plus plus. Application Delivery.
What's Devcentral. Consider the scenario as shown in the drawing. The order of operation is thus: Check for persistence source IP persistence is set If there is no persistence record, make a load balancing decision Once the next hop is determined i. RemoteAdmin Inc v 1. Sort by:. Search this feed Skip Feed View This Post. May 15, at PM. Login to comment on this post. About DevCentral An F5 Networks Community We are an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together.
Get a developer Lab license. Contact us - Feedback and Help. Become an MVP. Follow Us. About F5 Corporate Information.A pool is a logical set of devices, such as web servers, that you group together to receive and process traffic.
A pool consists of pool members.
Cookies, Sessions, and Persistence
A pool member is a logical object that represents a physical node on the network. Once you have assigned a pool to a virtual server, the BIG-IP system directs traffic coming into the virtual server to a member of that pool.
An individual pool member can belong to one or multiple pools, depending on how you want to manage your network traffic. You can create three types of pools on the system: server pools, gateway pools, and clone pools. A server pool is a pool containing one or more server nodes that process application traffic.
The most common type of server pool contains web servers. One of the properties of a server pool is a load balancing method. For example, the default load balancing method is Round Robinwhich causes the BIG-IP system to send each incoming request to the next available member of the pool, thereby distributing requests evenly across the servers in the pool.
One type of pool that you can create is a gateway pool. A gateway pool is a pool of routers. An intrusion detection system IDS is a device that monitors inbound and outbound network traffic and identifies suspicious patterns that might indicate malicious activities or a network attack.
To configure a clone pool, you first create a pool of IDS or sniffer devices and then assign the pool as a clone pool to a virtual server. The clone pool feature is the recommended method for copying production traffic to IDS systems or sniffer devices. Note that when you create the clone pool, the service port that you assign to each node is irrelevant; you can choose any service port. Also, when you add a clone pool to a virtual server, the system copies only new connections; existing connections are not copied.
Persisting SNAT Addresses in Link Controller Deployments
You can configure a virtual server to copy client-side traffic, server-side traffic, or both:. An important part of managing pools and pool members is viewing and understanding the status of a pool or pool member at any given time. The BIG-IP Configuration utility indicates status by displaying one of several icons, distinguished by shape and color, for each pool or pool member:. At any time, you can determine the status of a pool.