Forum Discussion
lijeep_54639
Nimbostratus
NimbostratusMaintain SSL Persistence with firepass
I am loosing my SSL Persistence on my firepass using ssl offload with my LTM. I am unsure if I have this configured right. I have the firepass using ssl offload on port 443 and the ltm pool listening on 443. We just have a http vip on the ltm that has a irule for http to https redirect. Do i need to have a port 80 setup on the firepass as well. Would that break my SSL Persistence. We have cookies enabled on the LTM
Whats the best way to do this add SSL Persistence
7 Replies
hoolioCirrostratus
What are the indications that you're losing persistence? Do you have an SSL session ID persistence profile configure? If so, it's not recommended where you are decrypting the SSL on the BIG-IP. This is explained in SOL3062 (Click here).
Have you tried using cookie insert persistence? This should be a simple and effective way to persist clients based on HTTP sessions instead of the SSL session ID.
Aaron
lijeep_54639After troubleshooting today I am not sure it its Persistence, So whats is happening is that when i log into the FP through the ltm, I connect. If i stay idel for 5-10 min L loose my session and the browser says I don't have a valid cleint cert- hoolioIf you configure cookie insert persistence with no timeout do you still see the issue? Else, can you test with source address persistence and a 30 minute timeout to check this?
Aaron - lijeep_54639So I think below is my issue, What I would like to do is either add what i need to the current irule, or create a new irule and hang it off the http profile to check for ssl client cert. If I disable client cert with the irule that you sent me all works fine. I am unsure if this is my issue or not. I am running out of time, and we were taking today to not use our ltm 6400's and just cluster the firepasses for a HA configuration. I don't want to do that tho.
SOL3062: Using SSL (Session ID) persistence
--------------------------------------------------------------------------------
Updated: 5/5/08 4:33 PM
BIG-IP SSL Persistence allows you to persist SSL connections to a node based on the SSL Session ID of the connection.
Advantages
SSL persistence is much more granular than simple persistence. Unlike simple persistence, SSL persistence does not rely on proxies and NATs and is not subject to the associated problems that can make simple persistence ineffective.
SSL persistence ensures that repeat connections from the same client are sent to the same node. This allows the use of SSL session resumption, which saves processing time for both the client and the server.
Disadvantage
Many browsers force SSL Session ID renegotiation at very short intervals (such as the two-minute limit for Microsoft Internet Explorer 5.x). As a result, the client browser can supersede the effective SSL persistence timeout.
Configuration requirements
You can use SSL persistence with the following configurations:
With an SSL virtual server, when the nodes are configured with the SSL certificate.
With a virtual server configured with a clientssl profile, when the BIG-IP system terminates SSL connections.
You cannot use SSL persistence with the following configurations:
With a virtual server configured with a serverssl profile. If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.
With a virtual server configured for Client Authentication.
For example, if the clientssl profile is configured to request a client ssl certificate for client authentication you cannot use SSL persistence. - hoolioIf you use source address persistence does it work?
I'd suggest opening a case with F5 Support and ask them what the recommended persistence method is for using LTM to load balance Firepass. If cookie insert persistence is not working, then the LTM+Firepass deployment guide (Click here) is wrong, and needs to be updated.
Aaron - lijeep_54639I have had two cases open with Firepass team and LTM team and they both pointed me to Dev Central for the answer. I think there documentation is wrong, and should state if using client side cert, it will break SSL offload. Do you think this should work.
- hoolioIf there is something listed in an official F5 product guide which doesn't work (regardless of whether it involves an iRule or not) F5 Support should be willing to help you. From what I've been told, Devcentral wasn't designed as a method for escalating product issues/bugs. If the product isn't working, the official channel is through F5 Support. In fact Support should be thanking you for pointing out an issue with their documentation.
I've never used SSL session ID persistence as I've never passed SSL through unencrypted. I think cookie insert persistence should work with the rule assuming the persistence info (from the cookie) is read before the HTTP filter is disabled in the iRule.
Aaron
