Forum Discussion
how to support both SSL ID and SourceIP persistant using for BIGIP LB firepass?
Hi,All
I had use bigip to loadbalance our firepass, and using sourceIP persistant to keep one user to one firepass. Everything is ok except some ADSL users. For ADSL user, maybe their line is not stable, so that they may disconnected and reconnected (their source ip will changed), though our firepass can ignore the source ip change and only check the ssl ID, but our bigip can't do so , and re-send the client to another firepass.
So, I need one iRules to combine two persistant SSL ID and SourceIP. When client new connection come in, first we will check SSL ID ,if the SSL ID had been persistant,BIGIP will send to same SSL ID server.This can support the adsl client reconnected with a new IP. Second, if no ssl id ,we will check sourceIP persistant, if had record sourceip, send to the same sourceip server. This can support client IE browser establish new ssl session. Third, if there neighter ssl id or sourceip persistant , we do loadbalance.
Can this be working? Dose anyone can give some suggestion?
- Thanks. In case, we use bigip to loadbalance FP , We prefer to use ssl ID to do persistant. But since IE 6.0 , microsoft allow the browser use new ssl ID to connect to the server especially when popup new browser windows, that cause our ssl ID persistant couldn't work .
So, we just can use source address persistant to do FP loadbalance.But this cause big trouble for the client, especially the adsl line is not stable . Each time ,the adsl reconnected, the client need to re-login to the ssl vpn ( if they use RSA,it's more trouble), and this is important for the gas-station POS machine user.If just one FP, our FP can still work though the client change the IP but the ssl ID is the same. But using our bigip loadbalance FP , we lost FP advantage.That's why I need this irule to support two persistant combine together.
Remember, I don't think this will cause trouble, since SSL ID is perfer and source IP is backup choice.
