Forum Discussion
how to persistant client when using bigip load balance firepass
There is two problem when using bigip load balance firepass:
1> For ADSL client, when user logon the firepass, his adsl line dropped and reconnected adsl, so the client ip address had been changed. If the client connect to only one firepass,though the client address had been changed, but the client SSL ID don't change, so our firepass will let the client connected without re-logon. When using bigip loadbalance firepass, we can not using sourceIP persistant , only SSL persistant can let client to connect to original firepass.
2> For IE clients , when they logon firepass, and wait some minutes, then click VPN tunnel.At this time, the client SSL ID may change ( when they logon firepass using SSL-ID aaa, they establish VPN tunnel may using SSL-ID bbb). When the client connect directly to firepass, since when IE change SSL-ID ,there will be some comunication between the client and the firepass, there won't be any problem. But when we are using bigip load balance firepass, though client still comunicate with the original firepass when he logon , but when he use new SSL-id connect to the VS at bigip, if our bigip using SSL-ID persistant , we will treat this as one new user and send to another firepass. For this problem , we need to use source-addr as persistant method.
According to above, when we use bigip to load balance firepass, we need combine sourceIP and SSL persistant together, just because these two case may happen at the same time. That means, we need one irules to do persistant :
1> when client new connection come in , we record both ssl-id and source-ip at persistant list;
2> when client connection come in again, we first search persistant list for SSL-ID. If SSL-ID was in the list, we send the client to persist server. This can resolve ADSL reconnect user.Second, if there is no SSL-ID in the list, we must search sourceIP in the persist list. If we find in the list, we send the client to persist server . If no , we then do loadbalance.
That's what irules we need!!
Somebody said we can use bigip v9 prefer and fallback persistant, and set prefer persistant to be ssl , and fallback persistant to be sourceAddr. But, actually it can't resolve problem1, just because it's record ssl OR sourceaddr , not ssl AND sourceAddr.
6 Replies
Nat_ThirasuttakornEmployee
this might be too late reply...
however, if you still need the answer, you may try this irule.
to use this irule
- just follow normal procedure and enable cookie persistence
- no need to enable ssl id and source ip persistent
=====================================================
when RULE_INIT {
set ssl_handshake 0
set ::tmout 3600
}
when CLIENTSSL_HANDSHAKE {
set ssl_handshake 1
}
when CLIENTSSL_CLIENTCERT {
set ssl_handshake 1
}
when HTTP_REQUEST {
set http_disable 0
set sid [HTTP::cookie "MRHSession"]
if { $ssl_handshake == 1 } {
HTTP::header replace "BIGIP" "on"
HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"
HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"
HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
set ssl_handshake 0
}
if { [HTTP::uri] starts_with "/myvpn" } {
set sid [findstr [HTTP::uri] "sess=" 5 "&"]
persist uie $sid $::tmout
set http_disable 1
}
if { [HTTP::uri] starts_with "/tunnel" } {
set sid [findstr [HTTP::uri] "sess=" 5 "&"]
persist uie $sid $::tmout
set http_disable 1
}
set uri [HTTP::uri]
}
when HTTP_REQUEST_SEND {
if { $http_disable != 0 } {
HTTP::disable
}
}
when HTTP_RESPONSE {
set sid [HTTP::cookie "MRHSession"]
if { $sid != "" && $sid != "deleted" } {
persist add uie $sid $::tmout
}
}
=====================================================
Nat- Thanks, NAT
I think you had known what I want, by now, I just use ssl-ID for the prefer persistant, and source-IP for the fallback persistant on the BIG-IP. But ,this solution can't 100% resolove the problem.
Sorry, I had read the irules, but not clearly understand, can you give some memo, thanks. 
blacksan_10396Nimbostratus
We are also migrating our firepass from internal clustering to bigip and have the same issue with roaming SSL VPN users over multiple IP Addresses.
So with this new I-Rule, how to I setup my persistence settings?
Local Traffic >> Virtual Server >> Profile
Default Persistence Profile: FirePassCookie-http-insert
Fallback Persistence Profile: None or Source_Addr?
I will still like to use source_addr persistence for PDA / cookie less devices but not roaming users.
So far our experience tells us that Default Persistence cookie is not working at all with the original i-rule from the f5 website. If we set the fallback persistence to none, we get no persistence connection on the statistic table and user traffic hit all firepass nodes.- Nat_Thirasuttakornmy friend from australia gave me feedback to enhance this i-rule (he did the irule for f/p ssl offload quite sometime ago but did not post to it to the forum).
I modify my irule as below
you may add
if { $sid == "" } {
set sid [findstr [HTTP::uri] "S=" 2 "&"]
}
to support cookie-less client
regarding how to config... bigip is very flexible, there are multiple options you can use...
I choose this way for my irule
- I dont configure any persistent profile
- I add persistent by source ip as an alternative persist if sid is not detected
- source ip persist will be add to table by irule
* i have not test much... so please feel free to feedback if you find any error...
Nat
==============================================================
when SERVER_CONNECTED {
persist add source_addr [IP::client_addr] $::tmout2
}
when RULE_INIT {
set ssl_handshake 0
uie persist table timeout
may adjust as appropriate
set ::tmout 3600
separate timeout for source ip persistent
assume that if sid is not available, source ip is acceptable
set ::tmout2 600
}
when CLIENTSSL_HANDSHAKE {
set ssl_handshake 1
}
when CLIENTSSL_CLIENTCERT {
set ssl_handshake 1
}
when HTTP_REQUEST {
set http_disable 0
set sid [HTTP::cookie "MRHSession"]
to support cookie-less client
if { $sid == "" } {
set sid [findstr [HTTP::uri] "S=" 2 "&"]
}
if { $ssl_handshake == 1 } {
HTTP::header replace "BIGIP" "on"
HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"
HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"
HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
set ssl_handshake 0
}
if { [HTTP::uri] starts_with "/myvpn" } {
2 additional lines
To detect session id from ssl vpn traffic
It has no cookie, but there is session id at
beginning of the session (which is ppp)
set sid [findstr [HTTP::uri] "sess=" 5 "&"]
set http_disable 1
}
if { [HTTP::uri] starts_with "/tunnel" } {
2 additional lines
same reason as /myvpn
set sid [findstr [HTTP::uri] "sess=" 5 "&"]
set http_disable 1
}
if { $sid != "" } {
persist uie $sid $::tmout
} else {
persist source_addr [IP::client_addr] $::tmout2
}
}
when HTTP_REQUEST_SEND {
if { $http_disable != 0 } {
HTTP::disable
}
}
These lines of iRule are added to create uie persist table
when HTTP_RESPONSE {
set sid [HTTP::cookie "MRHSession"]
if { $sid != "" && $sid != "deleted" } {
persist add uie $sid $::tmout
}
even client does not support cookie,
firepass will send out set-cookie header anyway
so this would support cookie-less client
}
============================================================== - blacksan_10396This last i-rule is passing all of our bigip/firepass testing except one minor one.
Many-users behind one NATed IP Address on the Internet (AOL Mega-proxy and companies Internet Access). I personally don't consider this a major problem but it can cause performance issues if all users from one company NATed IP hits the same firepass.
Any chance the I-Rule can remove the source-IP-Address persistence after the sid-cookies has been established?
Right now this is my concept on how everything works:
FYI - No Default/Fallback persistence enabled, only I-Rule.
1 - user A hits the BigIP VS
2 - I-Rules Activates
3 - BigIP selects a Firepass member and I-Rule gets no "MRHSession" cookie plus I-Rule assigns a Source-IP-Address to persistence table
4 - user A hits Firepass Login Page
5 - user A login and gets a "MRHSession" Cookie, I-Rule adds Universal sid-cookie to persistence table.
6 - user A connection successful
7 - new user B hits the BigIP VS from same IP Address as user A
8 - persistence table assigns user B to the same Firepass due to Source-IP-Address in persistence table
9 - user B hits Firepass Login Page
10 - user B login and gets a "MRHSession" Cookie, I-Rule adds Universal sid-cookie to persistence table.
11 - user B connection successful
12 - user A decides to "roam" and changes IP Address
13 - persistence table keeps users on the correct firepass due to Universal sid-cookie and the I-Rule adds New Source-IP-Address to persistence table
14 - user A connection sucessful 
Joel_MosesI've got a bit of a modification to the BigIP LTM Firepass loadbalancing/offload iRule that allows you to enable "Selective" compression (if you are licensed for encryption) on the HTTP profile the VS uses. This effectively compresses all text/ mime types and javascripts that come through Firepass; in our testing, it can speed up pre-login sequences to high-latency clients (e.g., aircards) by as much as 30%.
------------------------------------------when SERVER_CONNECTED { persist add source_addr [IP::client_addr] $::tmout2 } when RULE_INIT { set ssl_handshake 0 Persistence timeout if MRHSession cookie is present set ::tmout 3600 Persistence timeout if no cookie is found. Source IP persistence is used. set ::tmout2 600 } when CLIENTSSL_HANDSHAKE { set ssl_handshake 1 } when CLIENTSSL_CLIENTCERT { set ssl_handshake 1 } when HTTP_REQUEST { set http_disable 0 set sid [HTTP::cookie "MRHSession"] Handle cookieless clients if { $sid == "" } { set sid [findstr [HTTP::uri] "S=" 2 "&"] } if { $ssl_handshake == 1 } { HTTP::header replace "BIGIP" "on" HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]" HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]" HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]" set ssl_handshake 0 } if { [HTTP::uri] starts_with "/myvpn" } { set sid [findstr [HTTP::uri] "sess=" 5 "&"] set http_disable 1 } if { [HTTP::uri] starts_with "/tunnel" } { set sid [findstr [HTTP::uri] "sess=" 5 "&"] set http_disable 1 } if { $sid != "" } { persist uie $sid $::tmout } else { persist source_addr [IP::client_addr] $::tmout2 } } when HTTP_REQUEST_SEND { if { $http_disable != 0 } { clientside {HTTP::disable} } else { clientside {COMPRESS::enable} } } when HTTP_RESPONSE { set sid [HTTP::cookie "MRHSession"] if { $sid != "" && $sid != "deleted" } { persist add uie $sid $::tmout } }
