Emulate SSL persistenc profile for LTM terminated SSL

Wow, I guess I'm even more confused then. The rule calling SSL:current_sessionID is in the rule I currently have deployed on my test BigIP v.9 unit, and it does not give a syntax error. Are you sure current_sessionID is not valid?

 

 

The BigIP v.9 manual specifically states that the ssl persistance profile will not work on terminated SSL (ssl proxy). That's why I'm trying to use a rule to establish the persistance.

 

 

I don't need the sessionID in the header except as a way to perform persistance, so if the ssl persistance profile really will work, then I'll stick with that.

 

 

Any idea why the manual says the profile will not work for LTM-terminated ssl sessions?

This is perhaps a leftover from the initial v9.0 release where SSL persistence was not correctly supported when the LTM terminated the ssl session (instead you need to use an iRule). However, in v9.0.1 this was addressed and obviously the manual was never updated.

 

Good to know, thank you. I'll use the easier road then, and stick with the ssl persistance profile.

I investigated the renegotiation issue further. I'm sorry to say that SSL persistence will not track renegotiations (or re-handshakes) even if SSL is terminated on the BIG-IP. I have filed a bug report on this problem. I was hoping to provide you with an iRule work-around using the CLIENTSSL_HANDSHAKE rule event. Unfortunately, this event is only raised for the initial handshake. I have filed an enhancement request to raise it on all handshakes. Thank you for briging this to our attention. We will take steps to correct it in a future release.