Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS added irules cannot have "event disable all" #3371

Closed
alonsocamaro opened this issue Apr 9, 2024 · 3 comments
Closed

CIS added irules cannot have "event disable all" #3371

alonsocamaro opened this issue Apr 9, 2024 · 3 comments
Labels
bug JIRA

Comments

@alonsocamaro
Copy link

alonsocamaro commented Apr 9, 2024
edited

Setup Details

CIS Version : 2.16.0
Build: f5networks/k8s-bigip-ctlr:latest
AS3 Version: NA
Agent Mode: AS3

Description

Using the ab_deployment_path_irule (in my case multi-cluster) calls event disable all, this creates the following TCP reset connection when adding a oneconnect profile

Apr  9 06:22:33 bigip2.ocp.f5-udf.com info tmm[10372]: Rule /mc-onetier/Shared/mysite_com_80_ab_deployment_path_irule <HTTP_REQUEST>: pre: 41464
Apr  9 06:22:33 bigip2.ocp.f5-udf.com info tmm[10372]: Rule /mc-onetier/Shared/mysite_com_80_ab_deployment_path_irule <HTTP_REQUEST>: select_ab_pool: 41464 route_a_ocp2_8080_mc_onetier
Apr  9 06:22:33 bigip2.ocp.f5-udf.com info tmm[10372]: Rule /mc-onetier/Shared/mysite_com_80_ab_deployment_path_irule <LB_SELECTED>: 41464 /mc-onetier/Shared/route_a_ocp2_8080_mc_onetier 10.129.0.236 8080
Apr  9 06:22:33 bigip2.ocp.f5-udf.com info tmm[10372]: Rule /mc-onetier/Shared/mysite_com_80_ab_deployment_path_irule <LB_FAILED>: 41464 10.1.10.104 80
Apr  9 06:22:33 bigip2.ocp.f5-udf.com err tmm[10372]: 01230140:3: RST sent from 10.1.10.104:80 to 10.1.10.4:41464, [0x3056f2c:5263] No server selected

Please note that using a oneconnect profile is mandatory In BIG-IP in order to do per request HTTP routing decisions on keep-alive connections.

The "event disable" code should be eliminated:

  • When not using oneconnect, the "event disable" code doesn´t provide any advantage
  • When using oneconnect, the "event disable"· code disables the oneconnect feature and in fact it frequently triggers the TCP reset as shown above.

At present CIS doesn´t automatically add a default oneconnect profile and it should for any HTTP based configuration, otherwise it cannot appropriately do per-request routing on keep-alive connections.

Please consider applying a default oneconnect in upcoming CIS versions. This should have the following configuration as follows:

ltm profile one-connect oneconnect-32 {
    app-service none
    defaults-from oneconnect
    source-mask 255.255.255.255
}

Otherwise HTTP routing decisions cannot be done when using keep-alive.

See the section "content switching" in https://my.f5.com/manage/s/article/K7208 for more details

Expected Result

  • Please eliminate "event disable all" in next patch release
  • Please consider adding oneconnect profile configuration by default in upcoming major releases
@alonsocamaro alonsocamaro added bug untriaged no JIRA created labels Apr 9, 2024
@alonsocamaro
Copy link
Author

alonsocamaro commented Apr 15, 2024
edited

So in short, oneconnect provides simultaneously:

  • per request processing (content switching)
  • connection pooling

and these cannot be independently enabled. Per request processing is required by modern apps IMHO.

@arzzon arzzon mentioned this issue Apr 19, 2024
Merged
5 tasks
@trinaths
Copy link
Contributor

Created [CONTCNTR-4682] for internal tracking.

@trinaths trinaths added JIRA and removed untriaged no JIRA created labels Apr 23, 2024
@trinaths
Copy link
Contributor

Fixed in 2.17. ETA early June'24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug JIRA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trinaths @alonsocamaro