Options

aflex script requirement to evaluate host status

bseppanenbseppanen Member
edited September 2021 in aFleX

I am working on load balancing radius auth/acct to two MS NPS servers. The load balancing works and with radius there is a need to persist a radius client with the server that it happens to communicate with. The starting point for that is an aflex script found at https://a10support.force.com/customers/articles/KB/Radius-AVP-persistence-with-aFleX/p . The persistence works well, but the problem occurs if the radius server it happens to be talking to goes down. I am new to aflex and would like to find a means of evaluating host status in the aflex script and clear the persistence for that/all session(s) if there is a host change.

Would this be possible? I've only started looking for the resources, so any pointers appreciated.

are there any libraries that might be available to easily do this?


Thanks

Comments

  • Options
    jserranojserrano Member ✭✭

    Hi,

    Server status is always evaluated before any persistence record whenever a new connection arrives so I don´t believe this is a persistence issue. After server selection when session gets stablished it might happens that server goes down and you are not re-balancing udp flow upon failure.

    I would Just make sure:

    1) You define vPort as Radius and not raw udp so the A10 is transaction aware:

    !

    slb virtual-server www.a10networks.int 10.108.131.100

     port 1812 radius

       template udp Radius


    2) You create a udp template with "re-select-if-server-down" option marked. Optionally you can set an aggresive aging to drain session entries faster from memmory.

    !

    slb template udp Radius

     aging short

     re-select-if-server-down

    !


    An, of course you can use any aFlex logic to steer and/or persist traffic based on any AVP pattern. This is an example where username is used as persistence token and regex is used to select a backend based in its format:


    when CLIENT_DATA {

      set username [RADIUS::avp 1]

      log “Got Username AVP: $username

      switch -regexp $username {

          {^\d{8}\w?$} {

                        pool Pool_A_1812

        log “dni: $username > Pool_A_1812 : [LB::server name]

                        }

          {^[a-zA-Z]+[a-zA-Z0-9]*$} {

                        pool Pool_madrid_1812

        log “username: $username > Pool_B_1812 : [LB::server name]

                        }

          default {

                  pool Pool_CPPM_1812

          log “default: $username > Pool_CPPM_1812 : [LB::server name]"

                  }

      }

      persist uie $username 60

    }




    Hope this help!


    Regards

  • Options
    bseppanenbseppanen Member

    in our case we have implemented a direct server return, so I don't believe the radius option vs just using udp would provide any additional benefits

    slb virtual-server radius.vip1 x.x.x.x

     port 1812 udp

       message-switching

       aflex radius-persist

       service-group radius.udp.1812

       template udp select-host

       no-dest-nat

     port 1813 udp

       message-switching

       aflex radius-persist

       service-group radius.udp.1813

       template udp select-host

       no-dest-nat


    The problem seems to have been due to the health-check being disabled for the host.

Sign In or Register to comment.