Forum Discussion

Mersin_108215's avatar
Mersin_108215
Icon for Nimbostratus rankNimbostratus
Apr 23, 2012

OneConnect + SSL

Hi all -

 

 

Running LTM 10.2.0

 

 

I'm looking for some guidelines on using oneconnect with SSL Re-encryption. We are load balancing REST API calls to a pool of 4 servers. The API calls are extremely slow when the oneconnect profile is enabled on the virtual server.

 

 

Unfortunately I cannot get the developers to provide logs to help me isolate the issue, but it appears that the problem is related to either SSL or the API authentication piece.

 

 

I do see that with oneconnect disabled, the session stays persistent to one server. For example, the client connects to the API and makes 100 calls. All of those calls stay sticky to one server. With oneconnect enable, the API calls bounce around the 4 servers.

 

 

Any best practices for configuring HTTPS virtual servers with oneconnect?

 

 

Thanks in advance!

 

  • Depends a little bit how your setup is.

     

     

    Do you using Snat?

     

    if so, do u using Snat automap or Snat pools or f5 as a router?

     

    the answer of above will give you if the oneconnect needs to be 0.0.0.0 or 255.255.255.255

     

     

    oneconnect is also not suitable for every application... Like SFTP and so on.

     

     

    http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html

     

     

    I have also seen problem when using session limit on pool members, because of that it´s best practice to disable cmp on that vs and then the percistency will break, at least in some version i used before.

     

     

    /Beinhard
  • Thanks, Beinhard,

     

     

    I ended up opening a case with the support team and figured out that my problem was not related to SSL but related to how oneconnect manages the server side connections. The test that my developers were running always resulted in HTTP 404s being returned from the servers. I learned that 404s cause OneConnect to tear down the server side side connection, and therefore each API call would result in a whole new client-server handshake. This explains why I would see API calls from the client bounce between the servers.

     

     

    Thanks for the info you provided. To note, my virtual server is configured with SNAT automap

     

     

    Now I'm curious as to why F5 tears down the server side connection due to 404s. 404s do not indicate that the server is in an unhealthy state. I will post that as a separate question.