For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Muhannad's avatar
Muhannad
Icon for Cirrus rankCirrus
Aug 19, 2025

OneConnect Profile with Cookie Persistence

Dear Experts,

I am working in a web service that having F5 WAF in the edge with Automap SNAT and LTM in the internal Datacenter, so all the traffic coming from the outside is source Natted to the floating IP address of the external BigIP WAF, the Pools of this external WAF are the Virtual servers in the internal LTM.

 

The issue i am facing related to the session persistence, we are using cookie persistence with anyconnect profile in the virtual server of the LTM following the below article to guarantee that Persistence will work when we have SNAT in the External BigIP:

How OneConnect Profile works with Cookie Persistence | DevCentral

  

But i am still facing load balancing issue where all the sessions stuck in one pool member, any ideas what should be done to resolve the issue?

 

Regards,

Muhannad

application delivery

4 Replies

  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Icon for Employee rankEmployee
    Aug 19, 2025

    Hi Muhannad,

     

    I would suggest perhaps adjusting the max re-use value within one connect profile as a first tweak, monitor backend LB.  Are you able to use --> UIE Persistence

    or even --> SSL ID Persistence ?  Only try these changes in a non-prod environment.  

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    Aug 20, 2025

    the default vserver's Fallback persistence is usually Source address.

    try to disable the Fallback persistence

  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Icon for MVP rankMVP
    Aug 21, 2025

    Hi Muhammad,

     

    Can you please share what is your one connect profile source mask.

     

    When using cookie persistence without OneConnect, the BIG-IP system makes a load balancing decision once per TCP connection, not per HTTP request. This means that if multiple HTTP requests are sent over the same TCP connection (due to Keep-Alive), they will all be routed to the same pool member—even if cookie persistence is configured. You can see the packet by packet detailed explanation in the article link that you have pasted.


    Can we talk more on the correct Configuration for Cookie Persistence with SNAT
    To ensure proper load balancing and persistence behavior:

    1. Enable OneConnect Profile:

    OneConnect changes the load balancing decision point from TCP connection to each HTTP request.
    This is crucial when SNAT is used, as all client traffic appears to come from the same IP (the SNAT IP), which would otherwise break persistence.


    2. Use Appropriate Source Mask:

    With SNAT Automap, use a OneConnect profile with a source mask of 0.0.0.0. This ensures that all requests are evaluated independently regardless of the source IP.

     

    3. Configure Cookie Insert Persistence:

    Use a cookie insert persistence profile with no timeout (session-based) to ensure the cookie is sent with every request.
    The cookie value encodes the pool member IP and port, allowing the BIG-IP to persist sessions correctly .

     

    Can you check on these 3 

  • Muhannad's avatar
    Muhannad
    Icon for Cirrus rankCirrus
    Aug 22, 2025

    Dear,

     

    Thanks for your response, i have left the oneconnect profile with its default configurations but you mentioned in your response that i should use source mask 0.0.0.0, how i change it, if i put 0 in the source prefix length it returns to none when i am updating the configurations: 

    For the third point:, below are my configurations, should uncheck the expiration for the session cookie ? 

    Thanks in advance,

    Muhannad