Forum Discussion
Cookie Insert Issue
I am having some issue with cookie persistence and am wonderign if anyone has experience with using cookie persistence when an ISA is reverse proxying the connection. It seem that If I go directly to the F5 VIP I get the cookie inserted, but if I go throught the ISA as a client would the F5 cookie never makes through. I am not to familiar with the ISA servers as our MS team handles them but they swear it is not the ISA. I am sure it is the ISA dropping the cookie, but was wondering if anyone has seen this and is and can help point me in the right direction.
Here is a basic diag of our config so you get the idea.
internet==>ISA==>F5==>App
hoolioCirrostratus
Sounds like a job for Deb's very informative OneConnect tech tip:
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=114
Click here
In particular, note the comment at the bottom of the tip. Because there is a proxy directly in front of the LTM, many HTTP requests are probably made over the same TCP connection.
Aaron- JRahm
Admin
Take a capture on the F5 interface facing the ISA and check the http traffic for your cookie. I'd also recommend taking a capture in front of the ISA to make sure the cookie is making it to the ISA so you don't point the finger blindly.
Assuming you're facing the ISA on int 1.1:
tcpdump -ni 1.1 -w/var/tmp/isolate_cookie_issue.cap tcp -s 0 - Very interesting reading, and it totaly makes sense that this would help. I just played around a bit applying a oneconnect profile to this VIP and unfortunatly this made no apparent diffrence.
- hoolioThat's odd...
Citizen's suggestion for checking whether the cookie is being set by BIG-IP would make sense then.
Else, as it's windows, just ask them to reboot the ISA box and see if that fixes it...lol
Aaron - Well when I change my host file to point to the VIP in between the ISA and the F5 I get the Cookie served up every time and when I change it to point at the ISA VIP I do not get the cookie, so it seemed pretty cut and dry with no real need to look at tcpdumps. I will probably do a captuer on the ISA side to be sure, but no real reason it would not be there.
- I have done some more testing and the cookie is getting to the ISA server but not past it, and it is only the F5 cookie that the ISA seems to drop. Not getting alot of help from our ISA team the responce is it is ISA 2000 so it won't work. I don't quite believe this and think maybe it is not passing based on some configuration on the ISA. Anyone seen anything like this?
- hoolioI haven't heard of any issues with ISA dropping F5 cookies. But you could try to narrow down what it is about the cookies that is causing the problem.
Is it just the persistence cookie that ISA is dropping? If so, are there any notable differences between the cookies ISA keeps and drops (cookie value length, cookie value characters, cookie properties, etc)?
Does it happen on every response?
If you use an iRule to rewrite the persistence cookie to a short string like abcd does ISA still drop the cookie? What about if you set additional properties like secure, or httpon, etc?
Can you get any debug info from the ISA server?
Aaron - Thanks for the suggestions.
sravan_87037Nimbostratus
I am also facing the same issue, stjbrown can you tell me, on how did you solve this issue
