Forum Discussion

lijeep_54639's avatar
lijeep_54639
Icon for Nimbostratus rankNimbostratus
Sep 11, 2008

Maintain SSL Persistence with firepass

I am loosing my SSL Persistence on my firepass using ssl offload with my LTM. I am unsure if I have this configured right. I have the firepass using ssl offload on port 443 and the ltm pool listening ...
application delivery
dev
devops
iRules
lijeep_54639's avatar
lijeep_54639
Icon for Nimbostratus rankNimbostratus
Sep 12, 2008
So I think below is my issue, What I would like to do is either add what i need to the current irule, or create a new irule and hang it off the http profile to check for ssl client cert. If I disable client cert with the irule that you sent me all works fine. I am unsure if this is my issue or not. I am running out of time, and we were taking today to not use our ltm 6400's and just cluster the firepasses for a HA configuration. I don't want to do that tho.

 

 

 

 

SOL3062: Using SSL (Session ID) persistence

 

 

 

--------------------------------------------------------------------------------

 

 

Updated: 5/5/08 4:33 PM

 

 

 

 

 

BIG-IP SSL Persistence allows you to persist SSL connections to a node based on the SSL Session ID of the connection.

 

 

 

Advantages

 

SSL persistence is much more granular than simple persistence. Unlike simple persistence, SSL persistence does not rely on proxies and NATs and is not subject to the associated problems that can make simple persistence ineffective.

 

SSL persistence ensures that repeat connections from the same client are sent to the same node. This allows the use of SSL session resumption, which saves processing time for both the client and the server.

 

 

 

Disadvantage

 

Many browsers force SSL Session ID renegotiation at very short intervals (such as the two-minute limit for Microsoft Internet Explorer 5.x). As a result, the client browser can supersede the effective SSL persistence timeout.

 

 

Configuration requirements

 

You can use SSL persistence with the following configurations:

 

 

 

With an SSL virtual server, when the nodes are configured with the SSL certificate.

 

With a virtual server configured with a clientssl profile, when the BIG-IP system terminates SSL connections.

 

You cannot use SSL persistence with the following configurations:

 

 

With a virtual server configured with a serverssl profile. If the BIG-IP is configured to terminate and re-encrypt SSL connections, a different SSL session ID is used for the node-side connection than is used for the client-side connection. As a result, you cannot use SSL session ID persistence in combination with re-encryption.

 

 

With a virtual server configured for Client Authentication.

 

 

For example, if the clientssl profile is configured to request a client ssl certificate for client authentication you cannot use SSL persistence.