Forum Discussion
NimbostratusHA Failover without session drops/failures
I know this was asked before, but I think things have changed since it was asked.
I have a web service application.
The configuration looks like: IPv4 Virtual is a passthru to IPv6 (using an iRule to select the IPv6 virtual). IPv6 virtual has Client/Server ssl profiles and HTTP profile. There is also an iRule for pool selection.
I put mirroring on the IPv4 virtual, added it to both the client/server ssl profiles and to the SNAT.
When I fail over, under load, the load generator gets lots of connection timeouts.
Runing 11.6 HF1 on an 8900 FIPs device.
I'm at a bit of a loss as to what else I could be missing. I did get an error when trying to turn on connection mirroring on the SSL virtual:
Connection mirroring is not supported in combination with a Client SSL or Server SSL profile.
I thought that's what the new SSL mirroring feature was s'posed to address though.
ltm virtual myvirtual-ipv4-https-passthru-virtual {
destination 1.1.1.1:https
ip-protocol tcp
mask 255.255.255.255
mirror enabled
profiles {
tcp { }
}
rules {
ipv4-to-ipv6-translation
}
source 0.0.0.0/0
}
ltm virtual myvirtual-ipv6-https-virtual {
destination 1:1:1::1.https
ip-protocol tcp
profiles {
tcp { }
myvirtual-client-ssl-profile {
context clientside
}
myvirtual-http-profile { }
myvirtual-server-ssl-profile {
context serverside
}
}
rules {
myvirtual-cs
}
source-address-translation {
pool snat-pool
type snat
}
}
23 Replies
https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7216.html
Original Publication Date: 05/16/2007 Updated Date: 10/15/2014
You cannot currently mirror Secure Sockets Layer (SSL) connections that are terminated by the BIG-IP system. This would require the standby BIG-IP system to be aware of SSL session information that is negotiated between the client and the active BIG-IP system during the SSL handshake. SSL session information includes the following: the shared SSL key, the SSL session ID, the SSL cipher spec, and the SSL version.
If you enable connection mirroring for a virtual server that references a clientssl or serverssl profile, active connections being processed by the virtual server will be closed by the BIG-IP system when failover occurs. The BIG-IP system will send a TCP RST to the client when failover occurs, because the newly active BIG-IP system does not have the SSL connection in its connection table.
shaggystill looks like mirroring of terminated ssl is not supported in 11.6: https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7216.html
R_MarcAccording to this, it should be now, unless I'm reading it wrong: https://devcentral.f5.com/articles/the-top-ten-hardcore-f5-security-features-in-big-ip-116 Number 3: SSL Session Mirroring Full SSL handshakes are computationally expensive. This is one of the reasons that enterprises use F5’s LTM as SSL decryption mechanisms. Suppose you are lucky enough to have a site with a lot of SSL traffic. What if something happens and your primary ADC stops receiving traffic and the secondary has to pick up all those active connections? You want the secondary to perform cheap resumption handshakes (based off a shared session ID cache) with all the clients instead of full handshakes. mirroring You can now share SSL session ID caches across traffic groups so that failovers won’t cause massive spikes in full SSL handshakes.- shaggycan you provide the output of list ltm profile client-ssl clientssl all-properties? I don't have an 11.6 LTM at hand, but the ssl state mirroring feature could be similar to persistence mirroring where it's configured under the profile and is different than connection mirroring. You might also check the traffic-group configuration and system | general to see if it's a global setting.
- R_MarcSure. I just replicated on a VM version (to take fips out of the picture) and it fails the same way.
ltm profile client-ssl myvirtual-client-ssl-profile { app-service none authenticate always authenticate-depth 9 ca-file CA.crt cert test-ssl-mirror.crt cert-key-chain { test-ssl-mirror_test-ssl-mirror { cert test-ssl-mirror.crt key test-ssl-mirror.key } } client-cert-ca PRD_MC_Production_Network_Applications_Root_CA.crt crl-file none defaults-from clientssl inherit-certkeychain false key test-ssl-mirror.key options { dont-insert-empty-fragments } passphrase none peer-cert-mode request retain-certificate true session-mirroring enabled }ltm profile server-ssl myvirtual-server-ssl-profile { alert-timeout 10 app-service none cache-size 262144 cache-timeout 3600 chain none ciphers DEFAULT defaults-from serverssl handshake-timeout 10 mod-ssl-methods disabled options { dont-insert-empty-fragments } proxy-ssl disabled renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require-strict server-name none session-mirroring enabled session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled strict-resume disabled unclean-shutdown enabled }
- shaggy_121467
Cumulonimbus
still looks like mirroring of terminated ssl is not supported in 11.6: https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7216.html
- R_MarcAccording to this, it should be now, unless I'm reading it wrong: https://devcentral.f5.com/s/articles/the-top-ten-hardcore-f5-security-features-in-big-ip-116 Number 3: SSL Session Mirroring Full SSL handshakes are computationally expensive. This is one of the reasons that enterprises use F5’s LTM as SSL decryption mechanisms. Suppose you are lucky enough to have a site with a lot of SSL traffic. What if something happens and your primary ADC stops receiving traffic and the secondary has to pick up all those active connections? You want the secondary to perform cheap resumption handshakes (based off a shared session ID cache) with all the clients instead of full handshakes. mirroring You can now share SSL session ID caches across traffic groups so that failovers won’t cause massive spikes in full SSL handshakes.
- shaggy_121467can you provide the output of list ltm profile client-ssl clientssl all-properties? I don't have an 11.6 LTM at hand, but the ssl state mirroring feature could be similar to persistence mirroring where it's configured under the profile and is different than connection mirroring. You might also check the traffic-group configuration and system | general to see if it's a global setting.
- R_MarcSure. I just replicated on a VM version (to take fips out of the picture) and it fails the same way.
ltm profile client-ssl myvirtual-client-ssl-profile { app-service none authenticate always authenticate-depth 9 ca-file CA.crt cert test-ssl-mirror.crt cert-key-chain { test-ssl-mirror_test-ssl-mirror { cert test-ssl-mirror.crt key test-ssl-mirror.key } } client-cert-ca PRD_MC_Production_Network_Applications_Root_CA.crt crl-file none defaults-from clientssl inherit-certkeychain false key test-ssl-mirror.key options { dont-insert-empty-fragments } passphrase none peer-cert-mode request retain-certificate true session-mirroring enabled }ltm profile server-ssl myvirtual-server-ssl-profile { alert-timeout 10 app-service none cache-size 262144 cache-timeout 3600 chain none ciphers DEFAULT defaults-from serverssl handshake-timeout 10 mod-ssl-methods disabled options { dont-insert-empty-fragments } proxy-ssl disabled renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require-strict server-name none session-mirroring enabled session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled strict-resume disabled unclean-shutdown enabled }
- nitass
Employee
have you enabled statemirror.secure db variable?
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db statemirror.secure sys db statemirror.secure { value "disable" }by the way, i am not sure if it is compatible with vip-targeting-vip. much appreciated if you could share the test result. 🙂
sol14180: The connection mirroring feature is not compatible with VIP-targeting-VIP configurations
https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14180.html- R_MarcYup. You can't enable session mirroring on the ssl profile without it (it produces an error otherwise). I also tested going to the single vip, still didn't work.
nitass_89166Noctilucent
have you enabled statemirror.secure db variable?
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db statemirror.secure sys db statemirror.secure { value "disable" }by the way, i am not sure if it is compatible with vip-targeting-vip. much appreciated if you could share the test result. 🙂
sol14180: The connection mirroring feature is not compatible with VIP-targeting-VIP configurations
https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14180.html- R_MarcYup. You can't enable session mirroring on the ssl profile without it (it produces an error otherwise). I also tested going to the single vip, still didn't work.
- nitass
I also tested going to the single vip, still didn't work.
you mean ssl session mirroring (not ssl connection mirroring) does not work, don't you?
- R_MarcI'm not not sure what exactly is not working in this case, I only know that when I fail over I take a hit to in flight transactions. That is what I'm trying to eliminate. I have an application that requires zero downtime (or as close to it as possible).
- nitassi guess you need ssl connection mirroring. it is not ready yet but will be available through 11.6.0 hotfix later.
- nitass_89166
I also tested going to the single vip, still didn't work.
you mean ssl session mirroring (not ssl connection mirroring) does not work, don't you?
- R_MarcI'm not not sure what exactly is not working in this case, I only know that when I fail over I take a hit to in flight transactions. That is what I'm trying to eliminate. I have an application that requires zero downtime (or as close to it as possible).
- nitass_89166i guess you need ssl connection mirroring. it is not ready yet but will be available through 11.6.0 hotfix later.
chuffaker_11557SSL Connection Mirroring would be an enhancement that is HIGH on our list!
- ipman_1988_5418
Available in version 13
In BIG-IP 12.0.0 and later, you can configure the system to mirror Secure Socket Layer (SSL) connections that are terminated by the BIG-IP system to peer device group members. When you enable connection mirroring on a virtual server that references an SSL profile, the BIG-IP system mirrors SSL-specific data to the appropriate device group member. This preserves SSL connections when failover occurs.
The following configuration options are not supported for virtual servers configured to mirror SSL connections: •HTTP profiles (12.0.0 - 12.1.2)* •Server SSL profiles (12.0.0 - 12.1.2)* •UDP profiles •iRules (12.0.0 - 12.1.2)* •Other L7 features
*Support for these configuration options is introduced in BIG-IP 13.0.0.
