For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tidenz_92110's avatar
tidenz_92110
Icon for Nimbostratus rankNimbostratus
Dec 07, 2011

Oneconnect with telnet sessions

Hi all,

 

 

I am trying to get one connect working with a non http vip. doing a quick search the question was asked back in 2006 but none of the links to the more detailed posts are valid about using irules to force oneconnect reuse

 

 

i am trying to LB telnet sessions so that any client connection from a single source address will be forced to re-use the same server-side connection on the basis that the session has dropped client side due coverage.

 

 

i have setup a test vip with the default tcp timers and configured the default one connect profile.

 

 

so initial testing via my laptop with creating a telnet session then closing the session statefully then opening a new session i always see the f5 open a new connection to the server.

 

 

we are running 10.2.0 will the latest hotfixes.

 

 

anyone tried something similar?

 

 

config
design

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 08, 2011
    it is same as mine. i am running 10.2.3.

     

     

    sol7208 says irule may be required but there is still lack of document i.e. not well explanation, no example.

     

     

    Important: When using OneConnect to optimize HTTP traffic, you should apply an HTTP profile to the virtual server. This allows the BIG-IP system to efficiently manage connection re-use without additional configuration. The OneConnect profile may be used with any TCP protocol, but will only function when applied to virtual servers processing simple request/response protocols where transaction boundaries are explicitly obvious, such as those in which each request and each response is contained within a single packet. Applying a OneConnect profile to a non-HTTP virtual server processing more complex transactions, such as FTP or RTSP, may result in traffic disruption and session failure. Even for simple non-HTTP protocols, an iRule may be required to manage connection re-use.

     

     

     

    sol7208: Overview of the OneConnect profile

     

    http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7208.html

     

     

    the request Colin has submitted has been idle. :-(

     

     

    ID240825 - iRules Documentation (ONECONNECT) (Formerly CR 74322)
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 11, 2011
    One more thought... Have you considered how you're going to authenticate the second (And subsequent) connections? Otherwise it's a bit of a security hole (The user closes down, thinks they've dropped the connection, along comes someone else, and bang... They have the previous users login :)

     

     

    It's a nightmare on terminal servers that don't authenticate with console sessions to servers that don't do sensible things on connection dropping...

     

     

    H