how to persistant client when using bigip load balance firepass

This last i-rule is passing all of our bigip/firepass testing except one minor one.

 

 

Many-users behind one NATed IP Address on the Internet (AOL Mega-proxy and companies Internet Access). I personally don't consider this a major problem but it can cause performance issues if all users from one company NATed IP hits the same firepass.

 

 

Any chance the I-Rule can remove the source-IP-Address persistence after the sid-cookies has been established?

 

 

Right now this is my concept on how everything works:

 

 

FYI - No Default/Fallback persistence enabled, only I-Rule.

 

 

1 - user A hits the BigIP VS

 

2 - I-Rules Activates

 

3 - BigIP selects a Firepass member and I-Rule gets no "MRHSession" cookie plus I-Rule assigns a Source-IP-Address to persistence table

 

4 - user A hits Firepass Login Page

 

5 - user A login and gets a "MRHSession" Cookie, I-Rule adds Universal sid-cookie to persistence table.

 

6 - user A connection successful

 

7 - new user B hits the BigIP VS from same IP Address as user A

 

8 - persistence table assigns user B to the same Firepass due to Source-IP-Address in persistence table

 

9 - user B hits Firepass Login Page

 

10 - user B login and gets a "MRHSession" Cookie, I-Rule adds Universal sid-cookie to persistence table.

 

11 - user B connection successful

 

12 - user A decides to "roam" and changes IP Address

 

13 - persistence table keeps users on the correct firepass due to Universal sid-cookie and the I-Rule adds New Source-IP-Address to persistence table

 

14 - user A connection sucessful