iRule to enable persistence for terminated SSL sessions

Question

Hello,&nbsp;
&nbsp;Ok so we have a new Application (lets call it Dog)and there are 6 servers (DogBoxes) in a single pool and the software suppliers tell me that the client would function optimally  if it always returns to the App Server it initiated with, as information is cached there even though. So transport is SSL, no worries a SSL Persistence thingy. Nope won't work for SSL Terminated sessions. OK I need to write an iRule, something I have done previously by coping one that I stole from here and modified clumsily to work as my own. Which means I have no ability to code or real understanding of iRule thingies.&nbsp;
&nbsp;Can someone point me in the right direction to try and handle correctly persistence for terminated SSL sessions?
&nbsp;My discovery so far leads me to believe that there is a setting for this, and I need to use the HTTP::header command and the persist:ssl and that is as far as I can go. 
&nbsp;I have done a search and read 20 or more articles but I am none the wiser.&nbsp;
&nbsp;Thanks
&nbsp;David.&nbsp;&nbsp;

hoolio · Answer

Hi RACQ, 
&nbsp;  
&nbsp; There is no need for an iRule.  If you're terminating the SSL you can use cookie insert persistence without an iRule.  Start by testing with the default cookie insert persistence profile.  If you want to customize the timeout or cookie name, you can create a custom cookie insert persistence profile and add that to the VS.   
&nbsp;  
&nbsp; Aaron

racq_74493 · Answer

Thanks Aaron, 
&nbsp; So even though we decrypt and then reencrypt on to the App Servers, the f5 will match the Session ID of the client with the correct session on the right App server? 
&nbsp;  
&nbsp; I am just concerned when for when we start to run load tests that the results will be skewed across the servers in the pool. 
&nbsp;  
&nbsp; Thanks 
&nbsp; David.

hoolio · Answer

Hi David, 
&nbsp;  
&nbsp; With cookie insert persistence, LTM will insert a cookie whenever a load balancing decision is made.  The cookie name and value contain the pool name and member IP:port.  By default the cookie is set as a session cookie (no expire time) so the client should present it on requests for as long as the browser is open.  Each time LTM parses a request with a persistence cookie, it will persist the client to the same pool member, assuming the member is available.   
&nbsp;  
&nbsp; This is independent of the SSL session ID.  Incidentally, I think most versions of IE can change the SSL session ID every two minutes.  So that's not always a dependable persistence method. 
&nbsp;  
&nbsp; Aaron

racq_74493 · Answer

Thanks again for the explanation. 
&nbsp; You have been very helpful, as always. 
&nbsp;  
&nbsp; David.

jjay_44003 · Answer

What would happen if the client will not accept cookies?

Forum Discussion

iRule to enable persistence for terminated SSL sessions

6 Replies

F5 Academies Are Back – And We’re Coming to a City Near You

Introducing the F5 Application Study Tool (AST)

Recent Discussions

About F5 idle timeout and keep-alive

Problem with sending BotDefense logs to remote server

OSPF traps on BIG-IP v14

[APM] - How to clear the cached certificate for specific url

Fireeye AX integration with F5 via API.

Related Content

BIG-IP APM: Max Sessions Per User – Enable users to terminate a specified session

ASP Session ID Persistence

Weblogic JSessionID Persistence for Session Replication

source address persistence maximum session timeout

AI Friday Episode 3: Snowstorms, Truth Terminal, MCP & AGI Insights

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS