OneConnect + SSL

Question

Hi all -&nbsp;
&nbsp;Running LTM 10.2.0&nbsp;
&nbsp;I'm looking for some guidelines on using oneconnect with SSL Re-encryption. We are load balancing REST API calls to a pool of 4 servers. The API calls are extremely slow when the oneconnect profile is enabled on the virtual server.&nbsp;
&nbsp;Unfortunately I cannot get the developers to provide logs to help me isolate the issue, but it appears that the problem is related to either SSL or the API authentication piece.&nbsp;
&nbsp;I do see that with oneconnect disabled, the session stays persistent to one server. For example, the client connects to the API and makes 100 calls. All of those calls stay sticky to one server. With oneconnect enable, the API calls bounce around the 4 servers.&nbsp;
&nbsp;Any best practices for configuring HTTPS virtual servers with oneconnect?&nbsp;
&nbsp;Thanks in advance!&nbsp;

beinhard_8950 · Answer

Depends a little bit how your setup is. 
&nbsp;  
&nbsp; Do you using Snat? 
&nbsp; if so, do u using Snat automap or Snat pools or f5 as a router? 
&nbsp; the answer of above will give you if the oneconnect needs to be 0.0.0.0 or 255.255.255.255 
&nbsp;  
&nbsp; oneconnect is also not suitable for every application... Like SFTP and so on. 
&nbsp;  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html 
&nbsp;  
&nbsp; I have also seen problem when using session limit on pool members, because of that it´s best practice to disable cmp on that vs and then the percistency will break, at least in some version i used before. 
&nbsp;  
&nbsp; /Beinhard

mersin_108215 · Answer

Thanks, Beinhard, 
&nbsp;  
&nbsp; I ended up opening a case with the support team and figured out that my problem was not related to SSL but related to how oneconnect manages the server side connections. The test that my developers were running always resulted in HTTP 404s being returned from the servers. I learned that 404s cause OneConnect to tear down the server side side connection, and therefore each API call would result in a whole new client-server handshake. This explains why I would see API calls from the client bounce between the servers. 
&nbsp;  
&nbsp; Thanks for the info you provided. To note, my virtual server is configured with SNAT automap 
&nbsp;  
&nbsp; Now I'm curious as to why F5 tears down the server side connection due to 404s. 404s do not indicate that the server is in an unhealthy state. I will post that as a separate question.

Forum Discussion

OneConnect + SSL

2 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

F5 BigIP APM VPN some LDAP field are base64 encoded

Two Arm Deployment mode using PBR

Questions about F5 BIG-IP Multi-Datacenter Configuration

Load balancing NTP Servers

APM URL Branching tolower

Related Content

What is HTTP Part VII - OneConnect

Lightboard Lessons: OneConnect

SSL Orchestrator Service Extensions: User Coaching

How OneConnect Profile's max-size works

OneConnect? For my iRule?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS