Forum Discussion
How to force close TLS sessions in a failover scenario
Hi,
We have an application behind Big-IP which doesn't handle failovers well.
The Big-IP keeps all TLS sessions consistent and open during failover but the application doesn't support TLS resume for a session and this causes problems in the app.
I'm looking for a way to close TLS sessions for a specific VS in a failover scenarios.
We're on version 16.1.4.1
Any suggestions?
Thanks
Jonathan_c If you're performing SSL termination on the F5 you should be able to do this by going into the SSL profile and disabling session mirroring. You will have an issue if this profile is used across multiple VS and only need to do this on one of them but you can always create a copy of that SSL profile and name it something slightly different so that it will only be for this one VS in question. If you do not have SSL termination you can go into the virtual server and disable connection mirroring. These two are outlined in this article.
- zamroni777Nacreous
the ideal and proper solution is using proper health monitor configurations and server side SSL profile.
if your app servers can't support tls resume, then you need to disable resume in server side ssl ssl profile.
f5 health monitor can be configured to read http response body and etc.
additionally, you can put multiple health monitor into a pool. - Jonathan_cCirrus
Paulius I do perform SSL termination for client side and also use SSL for server side.
But on both SSL profiles we already have the mirroring feature disabled...
zamroni777 by disabling resume you mean enabling the "Strict Resume" feature in the SSL server side profile?
Do I also do enable it on the client side profile?
- zamroni777Nacreous
plus Session Ticket.
https://my.f5.com/manage/s/article/K14806you can keep resume enabled in client side ssl profile as ltm handled it independently to server side ssl.
you can create test server ssl profile and use it for test pool.
then do tcpdump to see the impact of the config to the ssl session setup messages.
- Jonathan_cCirrus
zamroni777 Hi, would realy appreciate your input on my last question.
Thanks 🙂
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com