Forum Discussion
dave_jensen_201
Nimbostratus
NimbostratusF5 Persistence SSL (Pass-through) Safari Browser Issue
I hope everyone is doing well. We have an odd issue with traffic through our F5. Let me start by saying that SSL and session for our website works just fine through IE8/IE7, Firefox/Mozilla, Chrome, Opera.
Basically we have a number of servers in our web farm, our website establishes session in two ways, SSL session ID through the IIS/F5 where a user is bound to a server, and the session that gets created with our own application as the user logs in.
Long story short, when a user accesses our site via Safari the SSL session is not working. They are bounce around all servers making it impossible for our application session to remain. We use inproc session in our .net website (no database) and our users on Safari are having an extremely poor experience.
Any help that you can provide is appreciated. I read a post about SSL Pass Through and OneConnect being enabled at the same time causing problems with page display but these users are not having issues with page display, just session.
Let me know if you need any details and I'll get them. I didn't configure this LTM but I am familiar with it.
Thanks,
- Dave
17 Replies
dave_jensen_201Those of you that are looking, does my problem even make sense or are you reading this and going away confused. I'm getting pressure from all angles to figure this out so your help is greatly appreciated. I'm not ready to open a ticket yet because I know you're all so smart... =)
hoolioCirrostratus
Hi Dave,
As a stop gap measure, can you add a fallback persistence profile of Source Address?
The question makes sense--I'm just not sure what would cause this. Maybe Safari is constantly re-negotiating the SSL session? ssldumps of a failure would help.
I'd suggest opening a case with F5 Support on this, as it will probable require analysis of your exact LTM config and tcpdumps of a few failures.
Aaron- dave_jensen_201Thanks for responding Aaron. I'll get that information together and post it here and open a ticket with F5 Support.
- Dave 
HamishCirrocumulus
If you can, try attaching an iRule to the VS and show the [SSL::sessionid] for each request... See if it really is changing... That way you'll know better where to focus your efforts.
H- dave_jensen_201I'm trying to get the iRule setup to log the SSL:sessionid logged and am running into issues. I assume that I may be told to go to the iRule forum but since it was brought up here, perhaps you all could cut me a break on this one... I'm new to iRules and I'm not sure where to start to log the SSL::sessionid. I have the Editor and I'm taking some stabs in the dark but believe am failing miserably...
Any help is greatly appreciated.
- Dave - dave_jensen_201By way of what I've tried:
when SERVER_CONNECTED {
log local0. "SSL sessionid is: [SSL::sessionid]"
}
This never gets executed.
when CLIENT_ACCEPTED {
log local0. "SSL sessionid is: [SSL::sessionid]"
}
Also never gets executed.
Thanks in advance.
- Dave - dave_jensen_201when HTTP_REQUEST {
log local0. "SSL sessionid is: [SSL::sessionid]"
}
Never executed...
Thanks,
- Dave 
naladar_65658Altostratus
You might try referring to this URL for info on logging the SessionID:
http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__sessionid.html
Looks like it sticks it in the headers for you, so you can use http watch or something similar to check out what is getting put in there.- dave_jensen_201Thanks naladar. I'll post if that works.
- Dave - dave_jensen_201I'm still in the same boat. No matter how I skin this my iRule does not get executed.
I'll take this over to iRules.
Thanks,
- Dave
