For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

R_Marc's avatar
R_Marc
Icon for Nimbostratus rankNimbostratus
Oct 31, 2014

HA Failover without session drops/failures

I know this was asked before, but I think things have changed since it was asked. I have a web service application. The configuration looks like: IPv4 Virtual is a passthru to IPv6 (using an i...
application delivery
LTM
R_Eastman_13667's avatar
R_Eastman_13667
Historic F5 Account
Oct 31, 2014

https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7216.html

 

Original Publication Date: 05/16/2007 Updated Date: 10/15/2014

 

You cannot currently mirror Secure Sockets Layer (SSL) connections that are terminated by the BIG-IP system. This would require the standby BIG-IP system to be aware of SSL session information that is negotiated between the client and the active BIG-IP system during the SSL handshake. SSL session information includes the following: the shared SSL key, the SSL session ID, the SSL cipher spec, and the SSL version.

 

If you enable connection mirroring for a virtual server that references a clientssl or serverssl profile, active connections being processed by the virtual server will be closed by the BIG-IP system when failover occurs. The BIG-IP system will send a TCP RST to the client when failover occurs, because the newly active BIG-IP system does not have the SSL connection in its connection table.