Forum Discussion

2funky_105078's avatar
Jul 25, 2014

Cookie with HTTP to HTTPS connections and the need of OneConnect

Hello,

 

We need to preserve COOKIE styckyness once the client is switching from HTTP to HTTPS and viceversa using the same VIPS (only the ports 443-80 are different of course) and the Nodes IPs behind as well.

 

BIGIP stanadrd cookie is based on IP address and port (i.e. pool member), so it cannot be used to stick to the same node. Instead, we can use this iRule to generate a UIE COOKIE based only on the node IP: https://devcentral.f5.com/wiki/iRules.HttpToHTTPsCookiePersistence.ashx

 

But this is still not working!! even when we browse at HTTP level without switching to HTTPS. In the sniffer traces taken on the LTM i clearly see that the client always sends the "bIPs" COOKIE generated by the LTM, so it should stick to the same sever behind, right?

 

So finally we were suggested to enabled OneConnect to both HTTP/HTTPS VIPs due to the fact that Persistence is not working sometime when HTTP Keepalive is active.

 

https://support.f5.com/kb/en-us/solutions/public/7000/900/sol7964.html

 

I am not clear why do we need OneConnect. Why LTM does not persist in case HTTP keepalive is enabled? We cannot use OneConnect as we had some issues with the application, so we are stuck..

 

  • We are in a similar situation. We are trying to split traffic via a load balancing method but then ensure that persistence is working over BOTH HTTP / HTTPS VIPs and their respective pool members (80 / 443 ports).

     

    Do care point in the right direction in getting this accomplished?

     

    Much thanks!

     

    Thanks.

     

  • Or in other words, based on SOL7964, if you use HTTP 1.1 Keepalive and COOKIE (UIE or standard), you need to configure either OneConnect or LB:detach to be sure that stickiness is preserved, right? I thought that OneConnect/LB:detach were merely used to make a LB decision at L7, not to enforce stickiness.... i am a bit confused.. :)