Forum Discussion
NimbostratusHTTPS Persistence (Sharing load)
I have pair of DMZ servers load balanced using an F5 which is also on the DMZ.
1 VS listening on port 443 (this VIP has a client SSL cert configured on the VIP)
behind this VS sits a server pool with 2 servers listening on port 8000
Everything is working apart from share load between the 2 servers, we are using Source based IP persistence and unfortunately there are hundreds of different client connections but all these clients are source NATed on the Firewall to a single HIDE NAT for security purposes. Which means the F5 always sees the same Source IP and sends the connection to the same server, this server is getting busy!
Is there any other way I could make or share the load across servers in this scenario? At the moment I can't think of any.
10 Replies
natheCirrocumulus
portoalegre
How about using Cookie Persistence?
Rgds
N
portoalegreIsn't cookie persistence for HTTP connections only not HTTPS. Cookie persistence only supports the HTTP protocol.- Kevin_Stewart
Employee
Cookie persistence is supported in the HTTP protocol, not to be confused with HTTPS which is HTTP over SSL. HTTPS isn't a protocol unto itself. Plus, the fact that you have a client SSL profile applied to the VIP means you're decrypting the HTTPS traffic at the BIG-IP, which means it can see the clear text HTTP data and can absolutely utilize cookies for persistence. 
pete_71470Cirrostratus
What is the load balancing method used for the pool? A connection must first have been balanced to a node for persistence to keep sending connections to that node, so something else (priority group, balancing method, ratio, rule, etc) must be keeping just one node busy.- portoalegre
pete
pool servers both listening on port 8000
Ratio 1 for both servers
Priority Group 0 for both
VS
all settings default expect at this stage using Default Persistence Profile source_addr - natheYou didn't mention what load balance method you're using e.g. round robin.
Anyway, have you tried cookie persistence to see if this works?
N - portoalegre.........least connections
I've already tried cookie persistence and this doesn't work. You have to add a HTTP profile (used default). - portoalegreNathan - In regards to cookie persistence using the HTTP profile, if the servers are listening on port 8000 and not port 80, would that cause a problem.
Port 80 is open on each server but the application team has requested to listen on port 8000 for F5 purposes, customer connects to VS HTTPS port 443 (I've used standard tcp health check) 
What_Lies_Bene1It's pretty normal to have the real servers listening on different ports, the port 'translation' is automatic. This would not affect Persistence in any way.- natheThanks Steve, been offline for a while.
Anyway, when you tried cookie persistence could you see an f5 cookie on the client and see it in the http traffic (fiddler / httpfox)?
Perhaps an anonymised copy of your VS might be an idea and what LTM version you're running.
N
