For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gus_Thompson_11's avatar
Gus_Thompson_11
Icon for Nimbostratus rankNimbostratus
Oct 29, 2007

Cookie Persistence iRule help

Greetings,     I’m in desperate need of a solution for “Cookie Insert” persistence. I have worked with F5 support for over a month now, and still have not been able to resolve our issues. So, ...
application delivery
dev
devops
iRules
dennypayne's avatar
dennypayne
Icon for Employee rankEmployee
Oct 29, 2007
What David is saying is that if your HTTPS virtual server points to a pool that has pool members using 443 as well, without any client and/or server side ssl profiles enabled, then cookie insert will never work regardless of whether "match across" is a factor or not. If that is the case, then BIG-IP is not doing any decryption and is passing SSL all the way to the webservers. It cannot insert any cookie into that stream.

 

 

For any sort of cookie persistence to work with HTTPS traffic, you must be using a clientssl profile on your HTTPS vip and have it point to a pool using port 80, or you must also use a serverssl profile to re-encrypt and send to the pool on 443. That's the only way that BIG-IP can do anything with cookies on an HTTPS stream; it has to be decrypting the SSL using a clientssl profile (re-encrypting on the back end is optional but it sounds like that's what you want so you also need a serverssl profile).

 

 

Denny