Load balancing incoming sslvpn connections from users who have mutiple egress IPs coming into the LTM

Hi

 

I wonder if someone has an idea on how to better handle this. We basically do blind proxy with the LTM and do not terminate SSL there. There is a VIP, and pool (with up to 12 member). Backend pool members are Sonicwall (Aventail) Secure Mobile Access appliances. Users connect using Sonicwall's tunnel client to tcp port 443 on the LTM. The LTM just passes this connection onto the backend pool member and in order for this to work, we need to do source address affinity for persistence. This is all good when the user is coming from a single IP but if its more than 1 IP, the tunnel session never establishes for obvious reasons. It has to hit the same backend pool member all the time throughout its session.

 

We use an irule as a solution to handle those cluster of users who connect from offices that have mutliple egress IPs that the LTM sees, but its not ideal to maintain this when we deal with more than 500k user base. Plus you are putting all these users onto a single pool member and defeats the whole idea of load balancing as the irule bypasses that altogether.

 

The tunnel client connection does not have any identifying parameters such as ssl session id, cookie or things like that. So thats why we ended up with using source address for persistence. Same thing happens to other major vendors that we tested this with, Cisco AnyConnect and Pulse Secure.

 

Thanks for any help/suggestion.