Forum Discussion
Kai_M__48813
Cirrus
Cirruscannot load balance security servers in our vdi environment
hi, all
we are faced with a problem, after deploying the vmvare view iapp to implement a vdi environment. Due to issues with 2 factor authentication, we decided to only loadbalance, so the bigip publication is loadbalancing directly towards 2 security servers, which then offloads to the connection servers.
The strange bit is, that each server works perfectly when in a single server mode, but when we add the second security server to the pools, we see that connections will be dropped, and only one server really processes the traffic correctly.
We have opened up for all required tcp/udp ports through our firewalls, otherwise the connections wouldnt work when we are running only one server.
Anyone else out there that has faced this similar scenario, or at least have some good advice for me?
If the servers use stateful information (seems likely) and do not sync this between each other, you probably need to ensure that sessions are "sticky" or "persistent" (i.e. all requests for a specific session go to the same pool member). Using source ip persistence on the pool would be a good way to test if this works for you and then you can work to make the persistence more specific to your application (via cookie hash or universal persistence etc) after that.
If the servers use stateful information (seems likely) and do not sync this between each other, you probably need to ensure that sessions are "sticky" or "persistent" (i.e. all requests for a specific session go to the same pool member). Using source ip persistence on the pool would be a good way to test if this works for you and then you can work to make the persistence more specific to your application (via cookie hash or universal persistence etc) after that.
- The iApp should create and assign a source persistence profile to your VS, but certainly verify that is the case. I would also double check both View servers are set to direct traffic (at least ssl/Secure Tunnel traffic) to the FQDN used to resolve back to your BIG-IP VS address.
Kai_M__48813thanks for the replies...we are indeed using persistence profiles, as this is set up by the iApp. From what we are seeing, the problem could relate to our two factor authentication. We are using Duo Security, and the admin removed this from the connection servers, which are used as duo security proxies, and it is now working, according to him, This needs ofcourse to be verified, and replicated again, but we could be on to something here.
