Forum Discussion
pjcampbell_7243
Cirrus
CirrusOffload a specific outbound ssl request?
Hi all
We have an issue where when our code goes out to check a 3rd party vendor for product inventory via HTTPS directly from the Java/apache webserver, the load spikes.
We could have 100 users hitting the DB on a single web server, no problem. As soon as we have X (a VERY small number) users simultaneously checking 3rd party inventory, the server load spikes.
The problem seems to be linear, that the load gets higher and machine gets slower as the number goes up until it is too slow to accept a new connection and we get timeouts.
I cannot say for sure that this is an SSL issue but I wanted to try to have the programmers change their request to plaintext.
Could I setup a local VIP on the BIGIP with the pool member being the 3rd parties IP and use server SSL to connect?
I believe I have tried to use non-local IPs as pool members before and it does not seem to work (maybe strictly a configuration issue on our end). Is there any reason why and any other suggestions?
hooleylistCirrostratus
Which load spikes? Is it LTM or the servers?
You can set up a local virtual server which points to a non-local pool. You can use a plaintext HTTP virtual server (no client SSL profile) and serverside SSL (server SSL profile). You'll need a route to the remote server(s) and SNAT on the virtual server to ensure the requests are proxied out and the response comes back through LTM.
Aaron
pjcampbell_7243Thank you and sorry, it's the web server load that spikes.
I thought maybe it was some inefficient SSL classes the programmers are using that causes this. There is no real foundation behind this guess, but I have nothing else to go on and need to try something.
I have never used a server SSL... do i simply assign the default serverssl profile to the VIP?
I think the problem why I can't use a non local pool member is due to config on our end. From the units, I cannot reach anything externally. Maybe a routing issue.
thanks...
thanks so much for your reply.- hooleylistThat seems like a reasonable test to try. You can use the default server SSL profile as long as the remote pool member doesn't require a client cert. If that's the case, then you'd want to create a custom server SSL profile with the client cert configured.
If remote pool members haven't worked in the past, I'd check routing on LTM first and then firewall(s) between LTM and the internet.
Aaron - pjcampbell_7243how do we determine which interface the outbound 3rd party request will go out of? on the bigip, we have 2 default routes?
0.0.0.0 172.30.1.3 0.0.0.0 UG 0 0 0 INT-PIX
0.0.0.0 172.31.10.1 0.0.0.0 UG 0 0 0 eth0
in the bigip GUI under routes, the default route is going to 172.30.1.3 . considering we can't get out to the internet on 172.30.1.3 , would that be the issue?
I can hit other IPs on our intranet that are not on the bigip. - pjcampbell_7243Active] ~ tracepath www.google.com/80
1: 172.30.1.8 (172.30.1.8) 0.688ms pmtu 1500
1: 172.30.1.4 (172.30.1.4) 1.423ms
2: no reply
3: no reply - pjcampbell_7243Ok I got it so that I can connect to my remote IP from the BIGIP - now why does it not find that pool member (the remote IP) as "active" . my check is TCP_443 - which it responds to....
- pjcampbell_7243Hi Again
I have tested this successfully on a LOCAL IP that answers on 443 only with your above suggestions
So it seems the missing piece of this puzzle is why I can't seem to get the BIGIP to see my remote pool member as "UP" even though I can now successfully connect to it from the CLI on port 443. 
Michael_YatesNimbostratus
Hi pjcampbell,
When you say that the Big-IP can't seem to see your remote pool member as "UP", what do you mean?
Are you saying that the Pool Member is showing as unavailable? (Red Diamond)
What health checks to do you have configured on the pool?- pjcampbell_7243I cheated and called support
I had 0 health checks assigned to the pool or pool member, but ICMP on the node (the Ip is not pingable) was getting us. - Michael_YatesGetting the right answer to your problem is never cheating on here :-)
Glad you got it all worked out.