For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amartya_Ghosh_1's avatar
Amartya_Ghosh_1
Icon for Nimbostratus rankNimbostratus
Mar 07, 2014

Need to achieve source_address persistence on 2 VS with different port address

Hi,

 

I am stuck with a requirement to acheve source_address persistence among two VS. End users will browse the URL using HTTP and while they are ready to purchase, they go to checkout using HTTPS. The SSL offloading is happening on the server.

 

Scenario is similar to the one explained in below URL, except my requirement is to match source address of the client. https://devcentral.f5.com/wiki/irules.httptohttpscookiepersistence.ashx

 

LTM: 8900, version 10.2

 

Scenario:

 

Virtual Servers:

 

1) IP=10.10.10.10 port 7008 >>>> HTTPS VIP

 

2) IP=10.10.10.10 port 7009 >>>> HTTP VIP

 

Pool:for both VS real servers are same with respective port numbers.

 

1) Pool members for VS1 are a.b.c.d:7008 & a.b.c.e:7008

 

2) Pool members for VS1 are a.b.c.d:7009 & a.b.c.e:7009

 

I have tried to use source_address/cookies persistence with Oneconnect profile but did not get any success. I was even thinking of using a source_address persistence with "Match Across Virtual Servers" setting but not sure if it will work as well.

 

Can anyone in the forum guide me like how I can achieve it.

 

application delivery
design
devops
iRules
LTM

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 07, 2014

    If you're not terminating the SSL at the VIP, then you cannot use cookie persistence. The "match across virtual servers" option should do what you want. Keep in mind of course that source address persistence isn't the greatest solution if you have no control over the address space. Many (Internet) users can be coming across NATs that could obscure true source addresses, which might unintentionally pin users to pool members unevenly.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 09, 2014

    The very best persistence method would be HTTP cookie, but you'd need to terminate the SSL on the HTTPS VIP. You can of course re-encrypt to the back end. In the absence of SSL offload, your only real choice is source persistence.

     

  • Jana's avatar
    Jana
    Icon for Altostratus rankAltostratus
    Mar 10, 2014

    Can you use "match across services", instead of "match across virtual servers"?

     

    Article http://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837 covers your requirement.