OneConnect + SSL

Question

Hi all -&nbsp;
&nbsp;Running LTM 10.2.0&nbsp;
&nbsp;I'm looking for some guidelines on using oneconnect with SSL Re-encryption. We are load balancing REST API calls to a pool of 4 servers. The API calls are extremely slow when the oneconnect profile is enabled on the virtual server.&nbsp;
&nbsp;Unfortunately I cannot get the developers to provide logs to help me isolate the issue, but it appears that the problem is related to either SSL or the API authentication piece.&nbsp;
&nbsp;I do see that with oneconnect disabled, the session stays persistent to one server. For example, the client connects to the API and makes 100 calls. All of those calls stay sticky to one server. With oneconnect enable, the API calls bounce around the 4 servers.&nbsp;
&nbsp;Any best practices for configuring HTTPS virtual servers with oneconnect?&nbsp;
&nbsp;Thanks in advance!&nbsp;

beinhard_8950 · Answer

Depends a little bit how your setup is. 
&nbsp;  
&nbsp; Do you using Snat? 
&nbsp; if so, do u using Snat automap or Snat pools or f5 as a router? 
&nbsp; the answer of above will give you if the oneconnect needs to be 0.0.0.0 or 255.255.255.255 
&nbsp;  
&nbsp; oneconnect is also not suitable for every application... Like SFTP and so on. 
&nbsp;  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html 
&nbsp;  
&nbsp; I have also seen problem when using session limit on pool members, because of that it´s best practice to disable cmp on that vs and then the percistency will break, at least in some version i used before. 
&nbsp;  
&nbsp; /Beinhard

mersin_108215 · Answer

Thanks, Beinhard, 
&nbsp;  
&nbsp; I ended up opening a case with the support team and figured out that my problem was not related to SSL but related to how oneconnect manages the server side connections. The test that my developers were running always resulted in HTTP 404s being returned from the servers. I learned that 404s cause OneConnect to tear down the server side side connection, and therefore each API call would result in a whole new client-server handshake. This explains why I would see API calls from the client bounce between the servers. 
&nbsp;  
&nbsp; Thanks for the info you provided. To note, my virtual server is configured with SNAT automap 
&nbsp;  
&nbsp; Now I'm curious as to why F5 tears down the server side connection due to 404s. 404s do not indicate that the server is in an unhealthy state. I will post that as a separate question.

Forum Discussion

OneConnect + SSL

Recent Discussions

ip x-forwarding

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Related Content

Lightboard Lessons: OneConnect

How OneConnect Profile's max-size works

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL PROXY

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS