For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dennis_Zwahlen_'s avatar
Dennis_Zwahlen_
Icon for Nimbostratus rankNimbostratus
Apr 29, 2005

Emulate SSL persistenc profile for LTM terminated SSL

What do I need to account for in my iRule to emulate the ssl persistence profile? We need to find a way to keep sticky connections when the ssl is terminated on the LTM. Any help is greatly apprecia...
application delivery
dev
devops
iRules
drteeth_127330's avatar
drteeth_127330
Historic F5 Account
May 10, 2005
I think I can help. First, there is no such command as SSL::current_sessionid in BIG-IP 9.x. SSL::sessionid returns the negotiated session id encoded as a hex string. SSL::modssl_sessionid_headers takes two subcommands, initial or current. 

SSL::modssl_sessionid_headers initial
returns the list { SSLClientSessionId } where is the session id requested by the client. 

SSL::modssl_sessionid_headers current
returns the list { SSLClientCurrentSessionId } where is the session id that is actually used, i.e. the one returned by the server.

These lists are intended for use by HTTP::header insert.

Now, most of your rules are syntax errors since SSL::current_sessionid is not a valid command and persist uie requires an argument. Are you trying to persist on the SSL session id or are you attempting to insert the session id as an HTTP request header?

To persist on the SSL session id, configure a persistence profile for SSL session id persistence and assign it to the virtual. If this is the only persistence profile on the virtual, then there is no need for an iRule. The uie example that I provided earlier should work, but it's not necessary. I was confused by your question about emulating the persistence profile in a rule. The interesting point is that just about any persistence mode can be emulated with a UIE rule. I hope this helps...