Forum Discussion

Brett_11768's avatar
Icon for Nimbostratus rankNimbostratus
Aug 02, 2011

iRule to disable Web Accelration for specific IP or IP range

We recently purchased BIG-IP LTM's with the Web Accelerator module. The LTM is running great and we have migrated all of our Load Balanced systems to the new platform. However, we recently enabled the following:



Advanced Settings


Protocol Profile (Client) - tcp-wan-optimized


Protocal Profile (Server) - tcp-lan-optimized


OneConnect Profile - oneconnect


HTTP Profile - http-acceleration



HTTP Class Profiles


wa_httpclass - with Web Acceleration enabled



At first everything was fine and we recieved very possitive feedback both during testing and once we implemented the change. However, a few days after implementing the change an issue arose with our SSL VPN system from Juniper (SA-6000).



Users connecting through the SSL VPN would sporadically see another users ID and data. Fortunately the first platform we enabled WA on does not house confidential data. Recognizing that the only change was the addition of the above changes I disabled the .OneConnect profile and the http-acceleration. This fixed the issue.



Now to my question, I have proposed two solutions to fix this issue. The first solution would involve setting up a separate VIP that the SSL VPN clients would connect to. The separate VIP would have NO acceleration of any kind enabled. Simple fast, easy to maintain and low cost.



The second solution involves creating an iRule that would filter traffic connecting to the current VIP. The idea being the iRule would look at the source IP address and if it is in a certain IP range the iRule would disable all acceleration to and from that source address.



The second solution seems much more complicated to me but i am being asked to investigate both. Has anyone here done something like this and would you recommend using an iRule? If yes, could you provide a copy of the iRule so that I can use it as a starting point for my effort?



I appreciate any help you can provide :).


Best regards,




1 Reply

  • Answered here: