For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kenny_Van_73892's avatar
Kenny_Van_73892
Icon for Nimbostratus rankNimbostratus
May 11, 2007

Different persistence each pool under a single virtual server

I'm hitting the wall with persistence in version 9.4. In version 4.6, I can set different persistence for each pool such as SSL persistence for pool A, Simple persistence for pool B, and None for poo...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 15, 2007
You should be able to set the different persistence methods in the HTTP_REQUEST event. This allows you to make per-HTTP request decisions on which persistence method to use.

 

 

However, trying to use SSL session ID persistence in this context won't work. SSL persistence can only be used when the BIG-IP does not decrypt the traffic:

 

 

 

https://tech.f5.com/home/bigip-next/manuals/bigip9_2/bigip9_2config/BIG_IP9_2ConfigGuide-10-1.html

 

 

SSL persistence

 

 

SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. Even when the client's IP address changes, the LTM system still recognizes the connection as being persistent based on the session ID. Note that the term non-terminated SSL sessions refers to sessions in which the LTM system does not perform the tasks of SSL certificate authentication and encryption/re-encryption. To enable persistence for terminated SSL sessions, see Chapter 7, Managing SSL Traffic and Chapter 13, Writing iRules.

 

 

 

 

And from SOL3062:

 

 

 

https://tech.f5.com/home/solutions/sol3062.html

 

 

You can only use SSL persistence with nodes that are running SSL, where BIG-IP load balances only encrypted traffic. You cannot use SSL Persistence with SSL connections that are terminated by BIG-IP.

 

 

If the BIG-IP terminates the SSL connection, the SSL session ID is removed before the connection is directed to a pool. As a result, the pool sees the connection as a regular HTTP connection, which does not contain an SSL Session ID.

 

 

If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.

 

 

 

 

If you are decrypting the traffic, you could persist on the SSL session ID using the session table or persist uie. Try searching the forum for "SSL::sessionid" for some examples.

 

 

Aaron