Forum Discussion

Kai_M__48813's avatar
May 28, 2015

cannot load balance security servers in our vdi environment

hi, all

 

we are faced with a problem, after deploying the vmvare view iapp to implement a vdi environment. Due to issues with 2 factor authentication, we decided to only loadbalance, so the bigip publication is loadbalancing directly towards 2 security servers, which then offloads to the connection servers.

 

The strange bit is, that each server works perfectly when in a single server mode, but when we add the second security server to the pools, we see that connections will be dropped, and only one server really processes the traffic correctly.

 

We have opened up for all required tcp/udp ports through our firewalls, otherwise the connections wouldnt work when we are running only one server.

 

Anyone else out there that has faced this similar scenario, or at least have some good advice for me?

 

  • If the servers use stateful information (seems likely) and do not sync this between each other, you probably need to ensure that sessions are "sticky" or "persistent" (i.e. all requests for a specific session go to the same pool member). Using source ip persistence on the pool would be a good way to test if this works for you and then you can work to make the persistence more specific to your application (via cookie hash or universal persistence etc) after that.

     

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account

    If the servers use stateful information (seems likely) and do not sync this between each other, you probably need to ensure that sessions are "sticky" or "persistent" (i.e. all requests for a specific session go to the same pool member). Using source ip persistence on the pool would be a good way to test if this works for you and then you can work to make the persistence more specific to your application (via cookie hash or universal persistence etc) after that.

     

    • Greg_Crosby_319's avatar
      Greg_Crosby_319
      Historic F5 Account
      The iApp should create and assign a source persistence profile to your VS, but certainly verify that is the case. I would also double check both View servers are set to direct traffic (at least ssl/Secure Tunnel traffic) to the FQDN used to resolve back to your BIG-IP VS address.
    • Kai_M__48813's avatar
      Kai_M__48813
      Icon for Cirrus rankCirrus
      thanks for the replies...we are indeed using persistence profiles, as this is set up by the iApp. From what we are seeing, the problem could relate to our two factor authentication. We are using Duo Security, and the admin removed this from the connection servers, which are used as duo security proxies, and it is now working, according to him, This needs ofcourse to be verified, and replicated again, but we could be on to something here.